Customer cannot visit SQL database normally because no long link was configured on USG5300

Publication Date:  2013-12-12 Views:  279 Downloads:  0
Issue Description
End users can visit the SQL database normally at beginning ,but later it will become very slow  or even application  program occur error  prompt.
Alarm Information
NONE 
Handling Process
1. configurea ACL to match the target packets, here we assume the source IP is 10.1.1.1 /32.
     Acl number 3000
    rule 0 permit tcp destination-port eq sqlnet
    rule 5 permit ip source 10.1.1.1 0
2. start the long link function in inter-zone .
    firewall interzone trust untrust
    firewall long-link 3000 outbound

Notes: 1. Long-link function has some influence to USG performance ,please don’t configure too much.
             2. The default aging time for  long-link  is 168 hours .
Root Cause
By catching and analyzing  the packets from USG5300,we find that  the time interval of application program packets sent from client side has been more than 600 seconds. Defiantly , the aging time of SQL  session configure on USG5300 is 600 seconds, that is to say ,after firewall building the SQL session ,if there is no any other SQL packets match this session, it will expired in 600 seconds. If customer send the packets again ,device will  initial a same session ,this will cause much time delay and lower the user experience ,moreover ,if the application program is sensitive about time ,it will occur an error .On this situation ,we need to configure long link function , to make sure the SQL session will not age for a long time period .
Suggestions
If the   SQL session aging cause the service down or visit   server slowly  ,please   refer to this case and configure long link function .

END