Description

This article describes how to resolve issues where Oracle sessions timeout after a few minutes even after increasing the session_ttl value on the TCP port 1521 to 3600 seconds.

Scope

All FortiGates.

Solution

TCP port 1521 is Oracle’s TNS listener port, which is how a client establishes an initial session to the server.

The server may then issue a REDIRECT command to the client, telling it to reconnect to another dynamically selected TCP port.

The new TCP port will be dynamically opened by the FortiGate due to the pre-configured 'session helper'.

The session_ttl value applied to this new port is based on the default session_ttl value (which can be lower than 3600 seconds).

The timeout of this newly established session, causes the client-server session to stop.

There exist a number of options to correct this issue:

• Configure the Oracle server to not issue the REDIRECT command. This will effectively keep sessions on port 1521.
• Configure the Oracle server to use a pre-defined REDIRECT port(s). It is possible to configure the predefined ports manually on the FortiGate with longer session_ttl values.
• Increase the default session_ttl value of the FortiGate, so that any dynamically opened ports will use this value.

Note: In most recent versions of Oracle DB, the REDIRECT packet is not sent anymore, and all of the connectivity is done over port TCP 1521. For these cases, consider deleting the TNS session helper, which will greatly reduce the FortiGate CPU utilization:

config system session-helper

edit 4

set name tns
set protocol 6
set port 1521

next

It is usually the 4th entry under 'config system session-helper', as shown above.

To delete it, run the following commands:

config system session-helper

delete 4

end