No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

The solution of that when use the USG5320 firewall there will appear SQL connect error .

Publication Date:  2012-09-14  |   Views:  572  |   Downloads:  0  |   Author:  w00226954  |   Document ID:  EKB1000014719


Issue Description

Use the USG5320 firewall as the firewall between the server group and user area, in order to protect the server security. Users can connect to the SQL database through the firewall. But the connection open after a period of time, during the transmission of data, there will be access slow or using the changed data service application error.

Alarm Information


Handling Process

Match takes a long time to keep the session data.
Such as:
acl number 3998
rule 0 permit tcp destination-port eq sqlnet
rule 5 permit ip source 0

Open long connection in the direction of the data transfer
firewall interzone trust untrust
firewall long-link 3998 inbound
firewall long-link 3998 outbound

After matching long connection, the session will be saved 7 * 24 hours. During this time, if there is data pass by session, the timing of the session time will refresh to 7 * 24 hours.

Root Cause

Packet capture analysis, detailed information of the firewall real-time session. The analytical results are as follows:
Firewall default SQL connection session hold time is 600 seconds. Once the session can’t receive new data triggered within 600 seconds, the session will be cleared. Although the sessions on the firewall have been cleared, the client application can’t know that. The user uses the connection again to send data but the session no longer exists, so the firewall will create a new session, the user will feel greatly delay. If the application has requirements for data transmission delay, may lead to an application error.


Need to know the user's application needs, especially database application before implementation. The long connection will be kept for a long time, if the matching long connection is too much, the firewall performance will be impacted. So require as precise as possible in matching session.