Issues with SQL database applications when traffic traverses SRX

 [KB21550] Show KB Properties

 
Summary:
This article intends to track issues and resolutions encountered for SQL traffic traversing the SRX.

Note : The content of this article is gathered from customer and internal reports and it does not reflect recommendations from any third party.
Problem or Goal:
Issues with SQL database applications when traffic traverses SRX. The issues are described in detail, in the Solution section below.



Solution:

Report 1

Enabling the Structured Query Language (SQL) ALG on an SRX Series or J Series device, allows SQL*Net traffic in SQL redirect mode to traverse an SRX Series device by creating a TCP pinhole. If the SQL*Net traffic is not in redirect mode, it will not be handled by the SQL ALG and will instead be processed (and should be permitted specifically) by configured firewall policies.

Report 2

Oracle 9.2 and earlier, requires the SQL ALG to keep traffic from moving to random ports; however versions greater than 9.2 may have intermittent issues when the SQL ALG is applied. This is quite obvious in Oracle, as it reports checksum errors. The following workarounds can alleviate this issue:
  1. Disable SQL ALG globally using the set security alg sql disable command.
  2. Define an application which bypasses the SQL ALG. For more information, see KB15492 - [J-Series] [SRX] How to: Bypass an ALG by creating an "application ignore" or "alg ignore" policy.
  3. Configure Oracle to use a port other than TCP 1521 (see oracle for details) to bypass the SQL ALG.
Report 3

Packets dropped in SQL interleave mode. This problem has been addressed by PR 587126.

Report 4

SQL ALG is not working properly when data is transmitted over the control session. This problem has been addressed by PR 524444.
Purpose:
Implementation
Troubleshooting
Related Links: