|
TCP port 1521 is Oracle’s TNS listener port, which is used by a client to establish an initial session with the server.
The server may then issue a REDIRECT command to the client, telling it to reconnect to another dynamically selected TCP port.
The FortiGate will dynamically open the new TCP port due to the pre-configured 'session helper'.
The session_ttl value applied to this new port is based on the default session_ttl value (which can be lower than 3600 seconds).
The timeout of this newly established session causes the client-server session to stop.
There exist several options to correct this issue:
- Configure the Oracle server to not issue the REDIRECT command. This will effectively keep sessions on port 1521.
- Configure the Oracle server to use a pre-defined REDIRECT port(s). It is possible to configure the predefined ports manually on the FortiGate with longer session_ttl values.
- Increase the default session_ttl value of the FortiGate, so that any dynamically opened ports will use this value.
Note: In the most recent versions of Oracle DB, the REDIRECT packet is not sent anymore, and all of the connectivity is done over TCP port 1521. For these cases, consider deleting the TNS session helper, which will greatly reduce the FortiGate CPU utilization:
config system session-helper
edit 4
set name tns
set protocol 6
set port 1521
next
It is usually the 4th entry under 'config system session-helper', as shown above.
To delete it, run the following commands:
config system session-helper
delete 4
end
Note: Reduce the TCP-Half close timer as per the Oracle Session timer, default value is 120 sec.
config system global
set tcp-halfclose-timer xx
end
|
