ORA-3136

今天Oracle10g RAC的一個節點實例掛起，在告警日誌文件(alert.log)中發現如下錯：

Thread 1 advanced to log sequence 41456 (LGWR switch)

  Current log# 6 seq# 41456 mem# 0: +YWZHDATA/ywzhdb/onlinelog/group_6.299.725832497

Mon Dec 27 10:13:26 2010

MMNL absent for 2350 secs; Foregrounds taking over

Mon Dec 27 10:15:07 2010

WARNING: inbound connection timed out (ORA-3136)

Mon Dec 27 10:15:07 2010

WARNING: inbound connection timed out (ORA-3136)

Mon Dec 27 10:18:05 2010

WARNING: inbound connection timed out (ORA-3136)

另外在sqlnet.log中發現如下錯誤：

***********************************************************************

Fatal NI connect error 12170.

 

  VERSION INFORMATION:

        TNS for Linux: Version 10.2.0.4.0 - Production

        Oracle Bequeath NT Protocol Adapter for Linux: Version 10.2.0.4.0 - Production

        TCP/IP NT Protocol Adapter for Linux: Version 10.2.0.4.0 - Production

  Time: 27-DEC-2010 10:19:58

  Tracing not turned on.

  Tns error struct:

    ns main err code: 12535

    TNS-12535: TNS:operation timed out

    ns secondary err code: 12606

    nt main err code: 0

    nt secondary err code: 0

    nt OS err code: 0

  Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.64.1.179)(PORT=1768))

  Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.64.22.105)(PORT=2783))

這是一個和網絡連接相關的錯誤，在Metalink 465043.1上給出瞭如下的解決方案：

1.set INBOUND_CONNECT_TIMEOUT_<listenername>=0 in listener.ora

2.set SQLNET.INBOUND_CONNECT_TIMEOUT = 0 in sqlnet.ora of server

3.stop and start both listener and database

4.Now try to connect to DB and observe the behavior

    網上有些同志說重啓DB和listener是沒有必要的，只需要reload一下listener就可以了。這次沒有如此操作，下次再出現這個問題可以試一下。

關於SQLNET.INBOUND_CONNECT_TIMEOUT參數，Oracle建議修改該參數，以避免denial-of-service攻擊。

 SQLNET.INBOUND_CONNECT_TIMEOUT

Purpose

Use the SQLNET.INBOUND_CONNECT_TIMEOUT parameter to specify the time, in seconds, for a client to connect with the database server and provide the necessary authentication information.

 

If the client fails to establish a connection and complete authentication in the time specified, then the database server terminates the connection. In addition, the database server logs the IP address of the client and an ORA-12170: TNS:Connect timeout occurred error message to the sqlnet.log file. The client receives either an ORA-12547: TNS:lost contact or an ORA-12637: Packet receive failed error message.

 

Without this parameter, a client connection to the database server can stay open indefinitely without authentication. Connections without authentication can introduce possible denial-of-service attacks, whereby malicious clients attempt to flood database servers with connect requests that consume resources.

 

To protect both the database server and the listener, Oracle Corporation recommends setting this parameter in combination with the INBOUND_CONNECT_TIMEOUT_listener_name parameter in the listener.ora file. When specifying values for these parameters, consider the following recommendations:

 

Set both parameters to an initial low value.

Set the value of the INBOUND_CONNECT_TIMEOUT_listener_name parameter to a lower value than the SQLNET.INBOUND_CONNECT_TIMEOUT parameter.

For example, you can set INBOUND_CONNECT_TIMEOUT_listener_name to 2 seconds and INBOUND_CONNECT_TIMEOUT parameter to 3 seconds. If clients are unable to complete connections within the specified time due to system or network delays that are normal for the particular environment, then increment the time as needed.

 

See Also:

Oracle9i Net Services Administrator's Guide for information about configuring these parameters

 

Default

None

 

Example

SQLNET.INBOUND_CONNECT_TIMEOUT=3