今天遇到:ORA-12537 TNS:连接关闭,监听正常,集群正常,数据库正常,查了一下才发现问题。
LISTENER日志报错
TNS-12546: TNS:permission denied
TNS-12560: TNS:protocol adapter error
TNS-00516: Permission denied
设置限制登录
tcp.validnode_checking=yes
tcp.invited_nodes=(136.3.67.11,136.1.10.11,136.1.10.12,136.1.10.13,136.1.10.14,136.1.10.7,136.1.10.8,136.1.10.6,10.0.1.11,10.0.1.12,10.0.1.6,10.0.1.7,10.0.1.8)
What is Validnode Verification and How to Use It (Doc ID 462933.1)
metalink
In this Document
Goal
Fix
APPLIES TO:
Oracle Net Services - Version 9.2.0.1.0 and later
Information in this document applies to any platform.
GOAL
How to control access to the database and understand validnode checking.
FIX
You can configure the sqlnet.ora file to allow and deny access to the database via the validnode checking parmeters. (Earlier versions of Oracle, 8i and lower used the protocol.ora file)
TCP.VALIDNODE_CHECKING
Use to specify whether to screen access to the database.Value is either YES or ON
TCP.EXCLUDED_NODES
Use to specify which clients using the TCP/IP protocol are denied access to the database. Hostname and ipaddress can be used
TCP.INVITED_NODES
Use to specify which clients using the TCP/IP protocol are allowed access to the database. Hostname and ipadddress can be used.
Example sqlnet.ora file (set where database is running)
TCP.VALIDNODE_CHECKING = YES
TCP.EXCLUDED_NODES= (138.3.33.33)
TCP.INVITED_NODES=(138.4.44.44, hammer)
Would cause the SQL*plus from client "138.3.33.33" to error
sqlplus scott/tiger@orcl
SQL*Plus: Release 10.2.0.1.0 - Production on Tue Oct 16 11:48:40 2007
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-12537: TNS:connection closed
Level 16 listener trace will show
nttvlser: valid node check on incoming node 138.3.33.33
nttvlser: Denied Entry: 138.3.33.33
nttcon: exit
nserror: entry
nserror: nsres: id=1, p=65, ns=12546, ns2=12560; nt[0]=516, nt[1]=0, nt[2]=0; ora[0]=0, ora[1]=0, ora[2]=
Listener log will show
16-OCT-2007 11:48:40 * 12546
TNS-12546: TNS:permission denied
TNS-12560: TNS:protocol adapter error
TNS-00516: Permission denied
But would allow connections from machines "138.4.44.44" and "hammer" to pass.Please note that without the servers host name or ip address in the invited list, then PMON will not register with the listener.
Any changes to the values requires the TNS listener to be reloaded
All host names must be resolvable or the TNS listener will not start
Invited list takes precedence over excluded listed
All entries must be on one line(Best to add entries via Net Manager)
SCAN and TCP.INVITED_NODES will require the SCAN VIPs and Node Vips to be added to the Grid Infrastructure SQLNET.ORA file.