No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


SQL Database Cannot Be Properly Accessed Due to the Lack of the Persistent Connection

Publication Date:  2019-01-22 Views:  132 Downloads:  0

Issue Description

As shown in the following figure, a USG firewall is deployed between the SQL database server and users to protect the server.

At the beginning, users can access the SQL database properly. After a period of time, the access becomes slow or the application program reports errors.

Handling Process

Capture and analyze the packets passing through the USG. It is found that the interval between two access packets exceeds 600 seconds. By default, an SQL session on the USG ages out after 600 seconds. That is, after an SQL session is established, if no packet matches the session within 600 seconds, the USG ages the session. User applications are unaware of session aging. When a user sends data again, the USG reestablishes a session. As a result, the user access is delayed. If the delay exceeds the tolerance of an application program, the application program reports an error.
In this case, you need to configure a persistent connection on the USG to ensure that the session does not age within a relatively long period of time.

Root Cause

Session aging on the USG delays or even interrupts SQL access. As a result, user access to the SQL database is delayed or an application program that uses the database service reports an error.


1. Configure an ACL to match the packets that need to hold the session for a long time.
Persistent connections are stored on the USG for a long time. If there are many persistent connections, the USG performance will be affected. Therefore, the matching conditions must be accurate.
Assume that the source IP address of the user is
acl number 3998
rule 0 permit tcp destination-port eq sqlnet
rule 5 permit ip source 0

2. Enable the persistent connection function in the interzone.
The default aging time of persistent connections is 168 hours. You can run the firewall long-link aging-time aging-time command to set the aging time.
Assume that the user is in the trust zone and the SQL database server is in the untrust zone.
firewall interzone trust untrust
firewall long-link 3998 outbound