在查看alert日志的時候發現:
1 *********************************************************************** 2 3 Fatal NI connect error 12170. 4 5 VERSION INFORMATION: 6 TNS for Linux: Version 11.2.0.1.0 - Production 7 Oracle Bequeath NT Protocol Adapter for Linux: Version 11.2.0.1.0 - Production 8 TCP/IP NT Protocol Adapter for Linux: Version 11.2.0.1.0 - Production 9 Time: 27-DEC-2012 16:17:46 10 Tracing not turned on. 11 Tns error struct: 12 ns main err code: 12535 13 14 TNS-12535: TNS:operation timed out 15 ns secondary err code: 12560 16 nt main err code: 505 17 18 TNS-00505: Operation timed out 19 nt secondary err code: 110 20 nt OS err code: 0 21 Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=xxx.xxx.xxx.xxx)(PORT=xxxx)) 22 Thu Dec 27 16:46:44 2012 23 24 25 ***********************************************************************
參考官方說明關於該警告的說明:
Note:465043.1
The "WARING:inbound connection timed out (ORA-3136)" in the alert log indicates that the client was not able to complete it's authentication within the period of time specified by parameter SQLNET.INBOUND_CONNECT_TIMEOUT.
You may also witness ORA-12170 without timeout error on the database sqlnet.log file.This entry would also have the client address which failed to get authenticated.Some applications or JDBC thin driver applications may not have these details.
可能的原因:
1、網絡攻擊,例如:半開連接攻擊
Server gets a connection request from a malcious client which is not supposed to connect to the database,in which case the error thrown is the correct behavior.You can get the client address for which the error was thrown via sqlnet log file.
2、Client在default 60秒內沒有完成認證
The server receives a valid client connection request but the client tabkes a long time to authenticate more than the default 60 seconds.
3、DB負載太高
The DB server is heavily loaded due to which it cannot finish the client logon within the timeout specified.
WANGING:inbound connection timed out (ORA-3136)
解決問題:
其實這個參數跟監聽的一個參數有關:SQLNET.INBOUND_CONNECT_TIMEOUT
這個參數從9i開始引入,指定了客戶端連接服務器並且提供認證信息的超時時間,如果超過這個時間客戶端沒有提供正確的認證信息,服務器會自動中止連接請求,同時會記錄試圖連接的IP地址和ORA-12170:TNS:Connect timeout occurred錯誤。
這個參數的引入,主要是防止DoS攻擊,惡意攻擊者可以通過不停的開啟大量連接請求,占用服務器的連接資源,使得服務器無法提供有效服務。在10.2.0.1起,該參數默認設置為60秒。
但是,這個參數的引入也導致了一些相關的Bug。比如:
Bug 5594769 - REMOTE SESSION DROPPED WHEN LOCAL SESSION SHARED AND INBOUND_CONNECT_TIMEOUT SET
Bug 5249163 - CONNECTS REFUSED BY TNSLSNR EVERY 49 DAYS FOR INBOUND_CONNEC_TIMEOUT SECONDS
該參數可以通過設置為0來禁用,在服務端:
1)、設置sqlnet.ora文件:SQLNET.INBOUND_CONNECT_TIMEOUT=0;
2)、設置listener.ora文件:INBOUND_CONNECT_TIMEOUT_listenername=0;
3)、然后reload或者重啟監聽。
說明:這是由於連接超時所產生的問題,在10.2.0.1.0版本中sqlnet.inbound_connect_timeout參數默認為60秒,即如果連接時間超過60秒則提示超時,而在其他版本中這兩個參數默認為0,即無限制。
具體操作例子:
----因為之前修改了很多次參數,一直沒成功,這次就索性把監聽給停掉了----------------
1 [oracle@cnbpi admin]$ lsnrctl stop 2 3 LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 27-DEC-2012 22:40:24 4 5 Copyright (c) 1991, 2009, Oracle. All rights reserved. 6 7 Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxx)(PORT=xxxx))) 8 The command completed successfully ----在sqlnet.ora文件中添加SQLNET.INBOUND_CONNECT_TIMEOUT = 0----------
9 [oracle@cnbpi admin]$ vi sqlnet.ora 10 # sqlnet.ora Network Configuration File: /u01/app/oracle/product/11.2.0/db_1/network/admin/sqlnet.ora 11 # Generated by Oracle configuration tools. 12 13 NAMES.DIRECTORY_PATH= (TNSNAMES) 14 SQLNET.INBOUND_CONNECT_TIMEOUT = 0 15 ----在listener.ora文件添加INBOUND_CONNECT_TIMEOUT_listener=0------------
16 [oracle@cnbpi admin]$ vi listener.ora 17 18 # listener.ora Network Configuration File: /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora 19 # Generated by Oracle configuration tools. 20 21 LISTENER = 22 (DESCRIPTION_LIST = 23 (DESCRIPTION = 24 (ADDRESS = (PROTOCOL = TCP)(HOST = cnbpi)(PORT = xxxx)) 25 # (CONNECT_TIMEOUT_LISTENER = 3600) -------該參數在測試中不起作用 26 ) 27 ) 28 INBOUND_CONNECT_TIMEOUT_listener=0 29 30 [oracle@cnbpi admin]$ lsnrctl 31 32 LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 27-DEC-2012 22:42:14 33 34 Copyright (c) 1991, 2009, Oracle. All rights reserved. 35 36 Welcome to LSNRCTL, type "help" for information. 37 -----因為監聽已經停止,所以查不出inbound_connect_timeout參數是否修改成功----------------
38 LSNRCTL> show inbound_connect_timeout 39 Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=cnbpi)(PORT=1521))) 40 TNS-12541: TNS:no listener 41 TNS-12560: TNS:protocol adapter error 42 TNS-00511: No listener 43 Linux Error: 111: Connection refused 44 LSNRCTL> set inbound_connect_timeout 0 45 Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=cnbpi)(PORT=1521))) 46 TNS-12541: TNS:no listener 47 TNS-12560: TNS:protocol adapter error 48 TNS-00511: No listener 49 Linux Error: 111: Connection refused ----啟動監聽-----------------------------------
50 LSNRCTL> start 51 Starting /u01/app/oracle/product/11.2.0/db_1/bin/tnslsnr: please wait... 52 53 TNSLSNR for Linux: Version 11.2.0.1.0 - Production 54 System parameter file is /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora 55 Log messages written to /u01/app/oracle/diag/tnslsnr/cnbpi/listener/alert/log.xml 56 Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=cnbpi)(PORT=xxxx))) 57 58 Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=cnbpi)(PORT=xxxx))) 59 STATUS of the LISTENER 60 ------------------------ 61 Alias LISTENER 62 Version TNSLSNR for Linux: Version 11.2.0.1.0 - Production 63 Start Date 27-DEC-2012 22:42:37 64 Uptime 0 days 0 hr. 0 min. 0 sec 65 Trace Level off 66 Security ON: Local OS Authentication 67 SNMP OFF 68 Listener Parameter File /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora 69 Listener Log File /u01/app/oracle/diag/tnslsnr/cnbpi/listener/alert/log.xml 70 Listening Endpoints Summary... 71 (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=cnbpi)(PORT=xxxx))) 72 The listener supports no services 73 The command completed successfully ----查看inbound_connect_timeout參數已經修改成功,值為0-------------------
74 LSNRCTL> show inbound_connect_timeout 75 Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxx)(PORT=xxxx))) 76 LISTENER parameter "inbound_connect_timeout" set to 0 77 The command completed successfully
-----因為之前在修改中可能是參數設置不對,所以一直沒成功,所以用了這種最笨的方法使監聽停掉以后再修改,其實只需修改了參數以后再reload一下就可以了。
參考文檔: