Re: sqlnet.ora and tcp node checking on issue

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Thu, 15 Jan 2009 15:26:53 +0000
Message-ID: <496F55BD.1000401_at_petefinnigan.com>



Hi Julio,

I have some comments on good practice for valid node checking.

Generally you should not mix IP and hostnames in valid node checking set up. There is undefined behaviour in some cases that i have seen in the past. Your output suggests that you could be doing this.

Also You should try and use IP Addresses as Jared suggests, IP addresses whilst not totally un-spoofable are harder to spoof that hostnames that could be spoofed/re-directed with a rogue DNS server.

Also as suggested you should get the small number of allowed hosts on fixed IP addresses or move to a firewall.

cheers

Pete

QuijadaReina, Julio C wrote:

> Yes, the list includes the node the listener runs on.
> 
> Julio
> ________________________________________
> From: Nilo Segura [nilosegura_at_gmail.com]
> Sent: Wednesday, January 14, 2009 6:09 PM
> To: QuijadaReina, Julio C
> Subject: Re: sqlnet.ora and tcp node checking on issue
> 
> Hello,
> 
> Minor question : Have you included  the node where the listener runs
> in the list ? Otherwise the listener will not start..
> 
> regards.
> 
> 
> Nilo Segura
> Oracle Support - IT/DES
> CERN - Geneva
> Switzerland
> 
> 
> 
> On Wed, Jan 14, 2009 at 8:03 PM, QuijadaReina, Julio C
> <QuijadJC_at_alfredstate.edu> wrote:

>> Hello,
>>
>> Has anyone run into issues with the listener not starting when sqlnet.ora includes tcp node checking? It appears that the problem is a computer name that is not resolvable through DNS - or that it just happens to be turned off at the time. I am using this setting as part of a security strategy to only allow certain clients direct access to the database servers.
>>
>> This is happening with Oracle 10g 10.2.0.3 on Red Hat 4.
>> The listener fails to start with message:
>>
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:LSNRCTL for Linux: Version 10.2.0.3.0 - Production on 14-JAN-2009 13:54:23
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Copyright (c) 1991, 2006, Oracle. All rights reserved.
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Starting /orapck/oracle/asm/bin/tnslsnr: please wait...
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:TNSLSNR for Linux: Version 10.2.0.3.0 - Production
>>
>> server:ora.server.LISTENER_server.lsnr:System parameter file is /orapck/oracle/asm/network/admin/listener.ora
>>
>> server:ora.server.LISTENER_server.lsnr:Log messages written to /orapck/oracle/asm/network/log/listener_server.log
>>
>> server:ora.server.LISTENER_server.lsnr:Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
>>
>> server:ora.server.LISTENER_server.lsnr:Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server-vip)(PORT=1521)(IP=FIRST)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00584: Valid node checking configuration error
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Listener failed to start. See the error message(s) above...
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:LSNRCTL for Linux: Version 10.2.0.3.0 - Production on 14-JAN-2009 13:54:23
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Copyright (c) 1991, 2006, Oracle. All rights reserved.
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12541: TNS:no listener
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00511: No listener
>>
>> server:ora.server.LISTENER_server.lsnr: Linux Error: 2: No such file or directory
>>
>> server:ora.server.LISTENER_server.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server-vip)(PORT=1521)(IP=FIRST)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12541: TNS:no listener
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00511: No listener
>>
>> server:ora.server.LISTENER_server.lsnr: Linux Error: 111: Connection refused
>>
>> server:ora.server.LISTENER_server.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=136.224.32.132)(PORT=1521)(IP=FIRST)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12541: TNS:no listener
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00511: No listener
>>
>> server:ora.server.LISTENER_server.lsnr: Linux Error: 111: Connection refused
>>
>> CRS-0215: Could not start resource 'ora.server.LISTENER_server.lsnr'.
>>
>>
>>
>> Thanks,
>>
>> Julio
>> --
>> http://www.freelists.org/webpage/oracle-l
>>
>>
>> --
> http://www.freelists.org/webpage/oracle-l
> 
> 
> 

-- 

Pete Finnigan
Director
PeteFinnigan.com Limited

Specialists in database security.

If you need help to audit or secure an Oracle database, please ask for
details of our courses and consulting services

Phone: +44 (0)1904 791188
Fax  : +44 (0)1904 791188
Mob  : +44 (0)7742 114223
email: pete_at_petefinnigan.com
site : http://www.petefinnigan.com

Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
Company No       : 4664901
VAT No.          : 940 6681 14

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

--
http://www.freelists.org/webpage/oracle-l
Received on Thu Jan 15 2009 - 09:26:53 CST

Original text of this message