- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Lost SQL Server sessions
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 04-19-2005 11:39 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lost SQL Server sessions
Hi everyone
I recently installed a a number of Fortigate 200' s. Currently they are configured with a scan/nids profile only. There are _no_ traffic limiting policies in place - all ports and all directions are configured with a any/all/accept policy. The firewalls carry very low traffic volumes; we have an average of 3-5 Mbit/s load.
Since the firewalls were installed, we have started experiencing problems with database (SQL server) connections and session timeouts. I' m not too concerned about the session timeouts, we have made some adjustments where necessary and I believe the rest can be addresses by ' firewall-aware' programming.
However, there is one issue that we cannot find an explanation or solution for. The following error started appearing randomly and fairly frequently after the firewalls were installed:
[DBNETLIB][ConnectionOpen(Connect()).]SQL Server does not exist or access denied
Any ideas? You assistance will be much appreciated.
6 REPLIES 6
Not applicable
Created on 04-20-2005 11:11 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
To solve this problem, you should increase session_timeout for SQL connections.
Try these:
config system session_ttl
config port
edit 1433
set timeout 3600
next
end
end
where, 1433 is the sql port value and 3600 is the session time in second.
umit.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi umit,
Thanks for your input, but this we have already done and it did not help. It seems like the session does not time out, but something else breaks and generates the error I mentioned. We have found references to other users experiencing this sort of problem on Oracle after installing a Fortigate, but nothing for SQL Server.
thx
Deon
Not applicable
Created on 04-24-2005 07:47 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Deon,
I don' t have a solution for this issue, but I think I know what is going on in that Fortigate 200 box of yours.
I am currently trying to convince Fortinet R&D about a bug related to the way Fortigate handles TCP half close connections (FIN_WAIT2 state). Your description of this issue looks rather familiar to what I am experiencing with raw LPR and RSH connections: Most connections work fine but it occurs at random that some connections seem to be time-out, although the session_ttl was set to a couple of hours and filtering is obviously not causing the problem. Below my findings, hope it makes any sense to you.
I am convinced that Fortinet has implemented the 2*MSL WAIT for TCP connection termination during the half close (FIN_WAIT2 state), instead of after the full close (TIME_WAIT2 state) as defined in RFC793. What this means is that a time-out is set during the the half close and if the remote party does not fully close the connection within the time-out set by the Fortigate, the session expires. According to the TCP specification no time-out should be used during the half close state, but the unwanted implicit " indefinite" wait has caused many implementations to use a time-out value here anyway. It seems to me that the Fortigate firewall launches the 2*MSL wait during the half close.
I have setup some tests and I have seen that my Fortigate(s) lower the active session_ttl when the connection state transitions to the half close state. On MR6 this was 120 seconds followed by an additional wait of 10 seconds. With MR7 and higher, this time-out value was lowered to 30 seconds, without the additional wait of 10 seconds. The latter is a very common 2*MSL implementation nowadays (RFC1323), however, the issue here is obviously that Fortinet either implemented a very low time-out during half close (FIN_WAIT2 state), which looks very much like a 2*MSL implementation to me or it launched the 2*MSL wait too early!
My advise for now is to check what SQL transactions take longer than 30 seconds to complete and tune them, or downgrade to MR6 so your SQL transaction have more time to finish.
Brgrds,
Frank
Not applicable
Created on 04-25-2005 07:45 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Frank,
Thanks very much for the response. What you describe is a bit outside my level of expertise, but it makes perfect sense and fits my situation. I' m escalating this to Fortinet. If I get anywhere, I' ll let you know.
Cheers
Deon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Deon,
I was glad to see someone else experiencing similar problems, which will make my case much stronger now! I have escalated the issue some time ago and it is now at R&D; I will let you know too... GOOD LUCK!
Brgrds,
Frank
Not applicable
Created on 07-02-2005 11:49 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Deon,
Check the tcp-halfclose-timer in MR10. Good luck with your tweaking!
Rgrds,
Frank
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Unable to connect 120G to FAZ-VM... 159 Views
- Syslog from Fortigate 40F to Syslog... 195 Views
- multiple sessions 408 Views
- Difference between ssl inspection and proxy... 159 Views
- Oracle sessions randomly hanging behind fortigate 307 Views
Labels
-
FortiGate
7,191 -
FortiClient
1,419 -
5.2
801 -
5.4
639 -
FortiManager
621 -
FortiAnalyzer
458 -
6.0
416 -
FortiAP
376 -
FortiSwitch
375 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
116 -
IPsec
110 -
SSL-VPN
109 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
SD-WAN
50 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
FortiSandbox
34 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
LDAP
21 -
FortiConverter
21 -
Certificate
21 -
SAML
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
Routing
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiLink
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
SSL SSH inspection
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
System settings
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1077 | |
| 892 | |
| 529 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.