HPE Community
Operating System - HP-UX
1844077 Members
3453 Online
110227 Solutions
New Discussion

dmzdns routing

 
SOLVED
Go to solution
lastgreatone
Regular Advisor

‎07-04-2002 10:38 AM

‎07-04-2002 10:38 AM

dmzdns routing

Our org have migrated ports at the dmzdns for oracle apps, but is not completely implemented. I see an unusual high number of TIME_WAIT and subsequent FIN_WAIT on the web server. It appears to me as a dns routing issue since requests for the oracle app server have to be redirected inside the firewall and out again, so ports 80 and 1526 migrating to 1521. Anyone experience this? if so, any enlightenment is apreciated. TIA
0 Kudos
Reply
3 REPLIES 3
Steven Sim Kok Leong
Honored Contributor

‎07-04-2002 08:12 PM

‎07-04-2002 08:12 PM

Re: dmzdns routing

Hi,

The OAS (Oracle Application Server) will connect to the backend Oracle database via the NET8 or sqlnet (as known in older releases). NET8/sqlnet uses a DBA-defined destination port number e.g. 1521 or 1526 etc where the ORacle listener listens at for new connections.

If your OAS sits outside the firewall and the Oracle database server within the firewall, then the firewall simply needs to open up INBOUND access from the OAS to the Oracle database server for destination service port TCP/1521 or TCP/1526 (depending on the port number you define in listener.ora at the Oracle database end).

For best security practices, at your OAS, you should hardcode the name resolution of your Oracle database server in /etc/hosts and make sure that the name resolution order uses files followed by dns in /etc/nsswitch.conf:

hosts: files [NOTFOUND=continue] dns

In this way, even if your DNS is not functioning properly or has been compromised such as DNS cache poisoning etc, your OAS will still connect without fail to the Oracle database server at the backend behind the firewall.

If your OAS is behind a firewall, you will need to open up OAS ports (usually a set of high numbered ports in addition to port 80 and 443) at the firewall. If you are unsure, monitor the firewall log for drop or rejected packets and identify the destination port used in the drop or rejected packets.

For connections to the OAS, if the clients have been abruptly disconnecting their web browsers after access, then FIN_WAIT_2 connections are likely to built up over time. You can shorten the FIN_WAIT_2 and TIME_WAIT by using the ndd command to modify some of the parameters in HP-UX.

For the list of configurable parameters,

# ndd -h supported
# ndd -h unsupported

A parameter you might want to take a close look at as well is tcp_keepalive_interval. This is the interval your connection will be kept alive when the client has dropped connection. Default is 2 hours.

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
lastgreatone
Regular Advisor

‎07-05-2002 05:06 AM

‎07-05-2002 05:06 AM

Re: dmzdns routing

If I add the nsswitch.conf how is it resolved since the OAS and the OAD are on different segments?

In answer to your question, the logs spawned error: HTTP/1.0 503 386 =(Service unavailable due to a temporary overload) and I believe this has to do with the excessive TIME_WAITS related to the dmzdns. Request comes in on port 80 and routed back to the dmzdns which routes back in to the OAD on port 1526 and returns with the error.

TIA
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-05-2002 11:54 PM

‎07-05-2002 11:54 PM

Solution

Re: dmzdns routing

Hi,

>> If I add the nsswitch.conf how is it resolved since the OAS and the OAD are on different segments?

If you use nsswitch.conf, the hostname of the OAD will be resolved based on the /etc/hosts residing on your OAS.

Your /etc/hosts on OAS:

1.2.3.4 OAD_hostname

This removes your dependency on the DNS to resolve your OAD_hostname i.e. even when your DNS servers specified in your /etc/resolv.conf are unavailable (or unaccessible), your OAS can still communicate with your OAD.

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.