The solution of that when use the USG5320 firewall there will appear SQL connect error .

Publication Date:  2012-09-14 Views:  115 Downloads:  0
Issue Description
Use the USG5320 firewall as the firewall between the server group and user area, in order to protect the server security. Users can connect to the SQL database through the firewall. But the connection open after a period of time, during the transmission of data, there will be access slow or using the changed data service application error.
Alarm Information
None
Handling Process
Match takes a long time to keep the session data.
Such as:
acl number 3998
rule 0 permit tcp destination-port eq sqlnet
rule 5 permit ip source 192.168.1.100 0


Open long connection in the direction of the data transfer
firewall interzone trust untrust
firewall long-link 3998 inbound
firewall long-link 3998 outbound


After matching long connection, the session will be saved 7 * 24 hours. During this time, if there is data pass by session, the timing of the session time will refresh to 7 * 24 hours.
Root Cause
Packet capture analysis, detailed information of the firewall real-time session. The analytical results are as follows:
Firewall default SQL connection session hold time is 600 seconds. Once the session can’t receive new data triggered within 600 seconds, the session will be cleared. Although the sessions on the firewall have been cleared, the client application can’t know that. The user uses the connection again to send data but the session no longer exists, so the firewall will create a new session, the user will feel greatly delay. If the application has requirements for data transmission delay, may lead to an application error.
Suggestions
Need to know the user's application needs, especially database application before implementation. The long connection will be kept for a long time, if the matching long connection is too much, the firewall performance will be impacted. So require as precise as possible in matching session.

END