測試環境oracle服務器alert日誌一直報如下錯誤:
TNS-12535: TNS:operation timed out
ns secondary err code: 12606
nt main err code: 0
nt secondary err code: 0
nt OS err code: 0
Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=testoracle)(PORT=55750))
WARNING: inbound connection timed out (ORA-3136)
查看oracle的錯誤信息如下:
[oracle@~]$ oerr ora 3136
03136, 00000, "inbound connection timed out"
// *Cause: Inbound connection was timed out by the server because
// user authentication was not completed within the given time
// specified by SQLNET.INBOUND_CONNECT_TIMEOUT or its default value
// *Action: 1) Check SQL*NET and RDBMS log for trace of suspicious connections.
// 2) Configure SQL*NET with a proper inbound connect timeout value
// if necessary.
SQLNET.INBOUND_CONNECT_TIMEOUT參數是指客戶端連接數據庫服務認證的時間,即用戶連接數據庫的時間。
從10.2.0.1以後的版本,參數SQLNET.INBOUND_CONNECT_TIMEOUT的默認設置是60秒。如果客戶端沒能在60秒內完成驗證,在alert日誌中就會出現Warning信息,客戶端連接被終止。
這種超時限制主要用於阻止Dos(Denial of Service)服務攻擊,防止大量的惡意客戶端請求湧向數據庫服務器,以消耗其資源。
當client 在INBOUND_CONNECT_TIMEOUT指定的時間內沒有成功連接上服務器時,在服務器的sqlnet.log裏就會記錄下客戶端的IP和ORA-12170:TNS:Connect timeout occurred的錯誤信息。 同時客戶端接收到ORA-12547:TNS:lost contact 或者ORA-12637:Packet receive failed的錯誤。
有3種原因可能導致這個錯誤:
(1) Server gets a connection request from a malicious client which is not supposed to connect to thedatabase , in which case the error thrown is the correct behavior. You can get the client address for which the error was thrown via sqlnet logfile.
--惡意的攻擊,可以在sqlnet.log裏查看客戶端的地址信息。
(2) The server receives a validclient connection request but the client takes a long time to authenticate morethan the default 60 seconds.
--服務端正常的接收了客戶端的請求,但是客戶端用了超過默認60秒的時間來驗證。
(3) The DB server is heavily loadeddue to which it cannot finish the client logon within the timeout specified.
--DB Server 負載較大,此時也可能導致連接超時。
解決方法:
1 增加連接時間
一般情況下60s是夠用的,如果60秒還報ORA-3136的錯誤。 Oracle 的解決方法是增加這個時間,用更多的時間來連接。 這個也是Oracle 建議的修改方法。
(1)修改sqlnet.ora:將Timeout增大
SQLNET.INBOUND_CONNECT_TIMEOUT= 180
(2) 修改listener.ora
添加參數:在listener.ora末尾添加即可
INBOUND_CONNECT_TIMEOUT_<listenername> = 170
注意:inbound_connect_timeout_listener_name 參數的值要小於sqlnet.inbound_connect_timeout 的值。
(3)重啓監聽
這樣設置以後,如果clients因爲系統或者網絡的原因在指定的時間沒有連接到DB,那麼Oracle會根據需要來增加連接的時間。
2 關閉超時限制
在安全上允許的情況下,設置如下參數爲0以關閉連接超時的限制:
(1)修改listener.ora
INBOUND_CONNECT_TIMEOUT_<listenername>=0
(2)修改sqlnet.ora
SQLNET.INBOUND_CONNECT_TIMEOUT=0
(3)重啓監聽
如上兩個參數的解釋如下:
關於sqlnet.ora的參數SQLNET.INBOUND_CONNECT_TIMEOUT,它表示等待用戶認證超時的時間,單位是秒,缺省值是60秒,如果用戶認證超時了,服務器日誌alert.log顯示出錯信息"WARNING: inbound connection timed out (ORA-3136)",sqlnet.log裏面出現TNS-12535: TNS:operation timed out錯誤信息。
關於listener.ora的參數inbound_connect_timeout_監聽器名,它表示等待用戶連接請求超時的時間,單位是秒,缺省值是60秒,如果連接請求超時了,監聽器日誌listener.log顯示出錯信息"TNS-12525: TNS:listener has not received client's request in time allowed"。
查看inbound_connect_timeout值
1、查看SQLNET.INBOUND_CONNECT_TIMEOUT的設置值,一般進入$ORACLE_HOME/network/admin下,查看sqlnet.ora參數文件即可。
2、查看監聽INBOUND_CONNECT_TIMEOUT參數,可以查看listener.ora參數文件。但是有時候,例如默認情況,參數文件裏面沒有設置這個參數,或是有些動態監聽沒有配置listener.ora,那麼可以使用lsnrctl命令查看,如下所示:
LSNRCTL> show
The following operations are available after show
An asterisk (*) denotes a modifier or extended command:
rawmode displaymode
rules trc_file
trc_directory trc_level
log_file log_directory
log_status current_listener
inbound_connect_timeout startup_waittime
snmp_visible save_config_on_stop
dynamic_registration enable_global_dynamic_endpoint
oracle_home pid
connection_rate_limit valid_node_checking_registration
registration_invited_nodes registration_excluded_nodes
LSNRCTL> show inbound_connect_timeout
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=testoracle)(PORT=1521)))
LISTENER parameter "inbound_connect_timeout" set to 300
The command completed successfully
設置參數inbound_connect_timeout_監聽器名,模擬TNS-12525: TNS:listener has not received client's request in time allowed
設置listener.ora參數文件,修改inbound_connect_timeout_<listener_name>=20
用telnet來模擬用戶連接請求超時的時間,如下所示,當超過20秒,就會自動退出.
[root@ ~]# time telnet 192.10.1.2 1521
Trying 192.10.1.2...
Connected to 192.10.1.2.
Escape character is '^]'.
Connection closed by foreign host.
real 0m20.026s
user 0m0.002s
sys 0m0.000s
此時在listener.log裏面,你就能看到TNS-12525的錯誤,如下所示:
TNS-12525: TNS:listener has not received client's request in time allowed
TNS-12535: TNS:operation timed out
TNS-12606: TNS: Application timeout occurred