Why are live JDBC connections dropping on Cisco Pix 515E?

Discussion in 'Cisco' started by javaguy, Dec 9, 2004.

  1. javaguy

    javaguy Guest

    My firm has a web application fetching its database information,
    through OpenLink 5.1 JDBC drivers, from an Informix DBMS. Between the
    web server and the database server is a Cisco Pix 515 6.3(1) firewall.

    My connections are being dropped every 2 hours. The firewall is
    configured to drop connections after 2 hours of inactivity.

    My web application has a "keep-alive" thread that exercises each
    database connection every 10 minutes or so. The largest idle period
    for any thread is 10 minutes. When users are busy, there is smaller
    idle periods (connections being used).

    In practice, the firewall is dropping connections *regardless of
    traffic* after 2 hours. This is a pain because 1) it could occur
    during a DBMS communication and 2) the DBMS isn't aware that the
    connection has been dropped and increases the apparent number of
    connections in use (there is a $$$ licensing issue on the DBMS).

    As a workaround my homegrown pool remembers when each connection was
    created and forces the connection to close after about 1 hour. In
    short, planned downtime instead of unplanned downtime. But this
    prevents me from ever replacing the pool with any other, *better*,
    pool. It seems all the JDBC pools I've been able to track down assume
    that keep-alive activity will satisfy firewall tests. But not *my*
    current implementation.

    What I'd like to discover is what parameter to change on my firewall to
    allow active connections, ones where the most recent activity is only a
    few minutes ago, to remain active even if the connection was initially
    created hours, days, weeks ago. So, instead of a connection lasting a
    maximum of 2 hours, regardless of activity, a connection lasting as
    long as the keep-alive thread can run on it.

    BTW, creating a permanent hole in the firewall for that port is not
    acceptable in my site. The DBMS traffic must go through the firewall
    rules, and not be exempt from them.

    Thanks for any help,
    Jerome.
     
    javaguy, Dec 9, 2004
    #1
    1. Advertisements

  2. :My firm has a web application fetching its database information,
    :through OpenLink 5.1 JDBC drivers, from an Informix DBMS. Between the
    :web server and the database server is a Cisco Pix 515 6.3(1) firewall.

    Note: it is recommended that you update to 6.3(4). There are bugs
    and security problems with 6.3(1) thru 6.3(3). The update would
    be free even if you don't have a support contract, as Cisco provides
    free updates [within the same release] when there are security fixes.

    :My connections are being dropped every 2 hours. The firewall is
    :configured to drop connections after 2 hours of inactivity.

    What protocols are involved? As you speak of 'connections', that
    would tend to imply TCP, but I've seen UDP connections for databases
    before so it is better to ask.

    :My web application has a "keep-alive" thread that exercises each
    :database connection every 10 minutes or so.

    That -should- be sufficient if you are using TCP.

    :In practice, the firewall is dropping connections *regardless of
    :traffic* after 2 hours.

    That isn't normal behaviour for plain connections. I've had no problem
    with keeping connections up for extended periods without any form of
    keep-alive.


    :BTW, creating a permanent hole in the firewall for that port is not
    :acceptable in my site. The DBMS traffic must go through the firewall
    :rules, and not be exempt from them.

    Two small questions to help clarify the situation:

    1) Is there a VPN involved in all of this, especially an IPSec VPN?
    (If not, why not? ;-) )

    2) Are you using user authentication on the PIX? If you are
    using AAA authentication then you might be hitting a timeout in
    'timeout uauth absolute'

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1026093
     
    Walter Roberson, Dec 9, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.