oracle tns 连接关闭,ORA-12537 TNS：连接关闭

今天遇到：ORA-12537 TNS：连接关闭，监听正常，集群正常，数据库正常，查了一下才发现问题。

LISTENER日志报错

TNS-12546: TNS:permission denied

TNS-12560: TNS:protocol adapter error

TNS-00516: Permission denied

设置限制登录

tcp.validnode_checking=yes

tcp.invited_nodes=(136.3.67.11,136.1.10.11,136.1.10.12,136.1.10.13,136.1.10.14,136.1.10.7,136.1.10.8,136.1.10.6,10.0.1.11,10.0.1.12,10.0.1.6,10.0.1.7,10.0.1.8)

What is Validnode Verification and How to Use It (Doc ID 462933.1)

metalink

In this Document

Goal

Fix

APPLIES TO:

Oracle Net Services - Version 9.2.0.1.0 and later

Information in this document applies to any platform.

GOAL

How to control access to the database and understand validnode checking.

FIX

You can configure the sqlnet.ora file to allow and deny access to the database via the validnode checking parmeters. (Earlier versions of Oracle, 8i and lower used the protocol.ora file)

TCP.VALIDNODE_CHECKING

Use to specify whether to screen access to the database.Value is either YES or ON

TCP.EXCLUDED_NODES

Use to specify which clients using the TCP/IP protocol are denied access to the database. Hostname and ipaddress can be used

TCP.INVITED_NODES

Use to specify which clients using the TCP/IP protocol are allowed access to the database. Hostname and ipadddress can be used.

Example sqlnet.ora file (set where database is running)

TCP.VALIDNODE_CHECKING = YES

TCP.EXCLUDED_NODES= (138.3.33.33)

TCP.INVITED_NODES=(138.4.44.44, hammer)

Would cause the SQL*plus from client "138.3.33.33" to error

sqlplus scott/tiger@orcl

SQL*Plus: Release 10.2.0.1.0 - Production on Tue Oct 16 11:48:40 2007

Copyright (c) 1982, 2005, Oracle.  All rights reserved.

ERROR:

ORA-12537: TNS:connection closed

Level 16 listener trace will show

nttvlser: valid node check on incoming node 138.3.33.33

nttvlser: Denied Entry: 138.3.33.33

nttcon: exit

nserror: entry

nserror: nsres: id=1, p=65, ns=12546, ns2=12560; nt[0]=516, nt[1]=0, nt[2]=0; ora[0]=0, ora[1]=0, ora[2]=

Listener log will show

16-OCT-2007 11:48:40 * 12546

TNS-12546: TNS:permission denied

TNS-12560: TNS:protocol adapter error

TNS-00516: Permission denied

But would allow connections from machines "138.4.44.44" and "hammer" to pass.Please note that without the servers host name or ip address in the invited list, then PMON will not register with the listener.

Any changes to the values requires the TNS listener to be reloaded

All host names must be resolvable or the TNS listener will not start

Invited list takes precedence over excluded listed

All entries must be on one line(Best to add entries via Net Manager)

SCAN and TCP.INVITED_NODES will require the SCAN VIPs and Node Vips to be added to the Grid Infrastructure SQLNET.ORA file.