RE: sqlnet.ora and tcp node checking on issue
From: QuijadaReina, Julio C <QuijadJC_at_alfredstate.edu>
Date: Thu, 15 Jan 2009 11:59:04 -0500
Message-ID: <BB794FBF96457F46A52B68230BC23AF60BEEE47C65_at_mail4.alfredstate.edu>
Hello Pete,
Yes, I do have a mix - one or two IP addresses but mostly they are hostnames. It looks like I will go down the path of using fixed IP addresses.
>> Hello,
>>
>> Has anyone run into issues with the listener not starting when sqlnet.ora includes tcp node checking? It appears that the problem is a computer name that is not resolvable through DNS - or that it just happens to be turned off at the time. I am using this setting as part of a security strategy to only allow certain clients direct access to the database servers.
>>
>> This is happening with Oracle 10g 10.2.0.3 on Red Hat 4.
>> The listener fails to start with message:
>>
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:LSNRCTL for Linux: Version 10.2.0.3.0 - Production on 14-JAN-2009 13:54:23
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Copyright (c) 1991, 2006, Oracle. All rights reserved.
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Starting /orapck/oracle/asm/bin/tnslsnr: please wait...
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:TNSLSNR for Linux: Version 10.2.0.3.0 - Production
>>
>> server:ora.server.LISTENER_server.lsnr:System parameter file is /orapck/oracle/asm/network/admin/listener.ora
>>
>> server:ora.server.LISTENER_server.lsnr:Log messages written to /orapck/oracle/asm/network/log/listener_server.log
>>
>> server:ora.server.LISTENER_server.lsnr:Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
>>
>> server:ora.server.LISTENER_server.lsnr:Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server-vip)(PORT=1521)(IP=FIRST)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00584: Valid node checking configuration error
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Listener failed to start. See the error message(s) above...
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:LSNRCTL for Linux: Version 10.2.0.3.0 - Production on 14-JAN-2009 13:54:23
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Copyright (c) 1991, 2006, Oracle. All rights reserved.
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12541: TNS:no listener
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00511: No listener
>>
>> server:ora.server.LISTENER_server.lsnr: Linux Error: 2: No such file or directory
>>
>> server:ora.server.LISTENER_server.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server-vip)(PORT=1521)(IP=FIRST)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12541: TNS:no listener
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00511: No listener
>>
>> server:ora.server.LISTENER_server.lsnr: Linux Error: 111: Connection refused
>>
>> server:ora.server.LISTENER_server.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=1521)(IP=FIRST)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12541: TNS:no listener
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00511: No listener
>>
>> server:ora.server.LISTENER_server.lsnr: Linux Error: 111: Connection refused
>>
>> CRS-0215: Could not start resource 'ora.server.LISTENER_server.lsnr'.
>>
>>
>>
>> Thanks,
>>
>> Julio
>> --
>> http://www.freelists.org/webpage/oracle-l
>>
>>
>> --
Date: Thu, 15 Jan 2009 11:59:04 -0500
Message-ID: <BB794FBF96457F46A52B68230BC23AF60BEEE47C65_at_mail4.alfredstate.edu>
Hello Pete,
Yes, I do have a mix - one or two IP addresses but mostly they are hostnames. It looks like I will go down the path of using fixed IP addresses.
Thanks all, your input is always appreciated. Julio
-----Original Message-----
From: Pete Finnigan [mailto:pete_at_petefinnigan.com]
Sent: Thursday, January 15, 2009 10:27 AM
To: QuijadaReina, Julio C
Cc: Nilo Segura; oracle-l_at_freelists.org
Subject: Re: sqlnet.ora and tcp node checking on issue
Hi Julio,
I have some comments on good practice for valid node checking.
Generally you should not mix IP and hostnames in valid node checking set up. There is undefined behaviour in some cases that i have seen in the past. Your output suggests that you could be doing this.
Also You should try and use IP Addresses as Jared suggests, IP addresses whilst not totally un-spoofable are harder to spoof that hostnames that could be spoofed/re-directed with a rogue DNS server.
Also as suggested you should get the small number of allowed hosts on fixed IP addresses or move to a firewall.
cheers
Pete
QuijadaReina, Julio C wrote:
> Yes, the list includes the node the listener runs on. > > Julio > ________________________________________ > From: Nilo Segura [nilosegura_at_gmail.com] > Sent: Wednesday, January 14, 2009 6:09 PM > To: QuijadaReina, Julio C > Subject: Re: sqlnet.ora and tcp node checking on issue > > Hello, > > Minor question : Have you included the node where the listener runs > in the list ? Otherwise the listener will not start.. > > regards. > > > Nilo Segura > Oracle Support - IT/DES > CERN - Geneva > Switzerland > > > > On Wed, Jan 14, 2009 at 8:03 PM, QuijadaReina, Julio C > <QuijadJC_at_alfredstate.edu> wrote:
>> Hello,
>>
>> Has anyone run into issues with the listener not starting when sqlnet.ora includes tcp node checking? It appears that the problem is a computer name that is not resolvable through DNS - or that it just happens to be turned off at the time. I am using this setting as part of a security strategy to only allow certain clients direct access to the database servers.
>>
>> This is happening with Oracle 10g 10.2.0.3 on Red Hat 4.
>> The listener fails to start with message:
>>
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:LSNRCTL for Linux: Version 10.2.0.3.0 - Production on 14-JAN-2009 13:54:23
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Copyright (c) 1991, 2006, Oracle. All rights reserved.
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Starting /orapck/oracle/asm/bin/tnslsnr: please wait...
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:TNSLSNR for Linux: Version 10.2.0.3.0 - Production
>>
>> server:ora.server.LISTENER_server.lsnr:System parameter file is /orapck/oracle/asm/network/admin/listener.ora
>>
>> server:ora.server.LISTENER_server.lsnr:Log messages written to /orapck/oracle/asm/network/log/listener_server.log
>>
>> server:ora.server.LISTENER_server.lsnr:Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
>>
>> server:ora.server.LISTENER_server.lsnr:Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server-vip)(PORT=1521)(IP=FIRST)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00584: Valid node checking configuration error
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Listener failed to start. See the error message(s) above...
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:LSNRCTL for Linux: Version 10.2.0.3.0 - Production on 14-JAN-2009 13:54:23
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Copyright (c) 1991, 2006, Oracle. All rights reserved.
>>
>> server:ora.server.LISTENER_server.lsnr:
>>
>> server:ora.server.LISTENER_server.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12541: TNS:no listener
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00511: No listener
>>
>> server:ora.server.LISTENER_server.lsnr: Linux Error: 2: No such file or directory
>>
>> server:ora.server.LISTENER_server.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server-vip)(PORT=1521)(IP=FIRST)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12541: TNS:no listener
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00511: No listener
>>
>> server:ora.server.LISTENER_server.lsnr: Linux Error: 111: Connection refused
>>
>> server:ora.server.LISTENER_server.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=1521)(IP=FIRST)))
>>
>> server:ora.server.LISTENER_server.lsnr:TNS-12541: TNS:no listener
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-12560: TNS:protocol adapter error
>>
>> server:ora.server.LISTENER_server.lsnr: TNS-00511: No listener
>>
>> server:ora.server.LISTENER_server.lsnr: Linux Error: 111: Connection refused
>>
>> CRS-0215: Could not start resource 'ora.server.LISTENER_server.lsnr'.
>>
>>
>>
>> Thanks,
>>
>> Julio
>> --
>> http://www.freelists.org/webpage/oracle-l
>>
>>
>> --
> http://www.freelists.org/webpage/oracle-l > > >
-- Pete Finnigan Director PeteFinnigan.com Limited Specialists in database security. If you need help to audit or secure an Oracle database, please ask for details of our courses and consulting services Phone: +44 (0)1904 791188 Fax : +44 (0)1904 791188 Mob : +44 (0)7742 114223 email: pete_at_petefinnigan.com site : http://www.petefinnigan.com Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom Company No : 4664901 VAT No. : 940 6681 14 Please note that this email communication is intended only for the addressee and may contain confidential or privileged information. The contents of this email may be circulated internally within your organisation only and may not be communicated to third parties without the prior written permission of PeteFinnigan.com Limited. This email is not intended nor should it be taken to create any legal relations, contractual or otherwise. -- http://www.freelists.org/webpage/oracle-lReceived on Thu Jan 15 2009 - 10:59:04 CST