测试环境oracle服务器alert日志一直报如下错误:
TNS-12535: TNS:operation timed out
ns secondary err code: 12606
nt main err code: 0
nt secondary err code: 0
nt OS err code: 0
Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=testoracle)(PORT=55750))
WARNING: inbound connection timed out (ORA-3136)
查看oracle的错误信息如下:
[oracle@~]$ oerr ora 3136
03136, 00000, "inbound connection timed out"
// *Cause: Inbound connection was timed out by the server because
// user authentication was not completed within the given time
// specified by SQLNET.INBOUND_CONNECT_TIMEOUT or its default value
// *Action: 1) Check SQL*NET and RDBMS log for trace of suspicious connections.
// 2) Configure SQL*NET with a proper inbound connect timeout value
// if necessary.
SQLNET.INBOUND_CONNECT_TIMEOUT参数是指客户端连接数据库服务认证的时间,即用户连接数据库的时间。
从10.2.0.1以后的版本,参数SQLNET.INBOUND_CONNECT_TIMEOUT的默认设置是60秒。如果客户端没能在60秒内完成验证,在alert日志中就会出现Warning信息,客户端连接被终止。
这种超时限制主要用于阻止Dos(Denial of Service)服务攻击,防止大量的恶意客户端请求涌向数据库服务器,以消耗其资源。
当client 在INBOUND_CONNECT_TIMEOUT指定的时间内没有成功连接上服务器时,在服务器的sqlnet.log里就会记录下客户端的IP和ORA-12170:TNS:Connect timeout occurred的错误信息。 同时客户端接收到ORA-12547:TNS:lost contact 或者ORA-12637:Packet receive failed的错误。
有3种原因可能导致这个错误:
(1) Server gets a connection request from a malicious client which is not supposed to connect to thedatabase , in which case the error thrown is the correct behavior. You can get the client address for which the error was thrown via sqlnet logfile.
--恶意的攻击,可以在sqlnet.log里查看客户端的地址信息。
(2) The server receives a validclient connection request but the client takes a long time to authenticate morethan the default 60 seconds.
--服务端正常的接收了客户端的请求,但是客户端用了超过默认60秒的时间来验证。
(3) The DB server is heavily loadeddue to which it cannot finish the client logon within the timeout specified.
--DB Server 负载较大,此时也可能导致连接超时。
解决方法:
1 增加连接时间
一般情况下60s是够用的,如果60秒还报ORA-3136的错误。 Oracle 的解决方法是增加这个时间,用更多的时间来连接。 这个也是Oracle 建议的修改方法。
(1)修改sqlnet.ora:将Timeout增大
SQLNET.INBOUND_CONNECT_TIMEOUT= 180
(2) 修改listener.ora
添加参数:在listener.ora末尾添加即可
INBOUND_CONNECT_TIMEOUT_<listenername> = 170
注意:inbound_connect_timeout_listener_name 参数的值要小于sqlnet.inbound_connect_timeout 的值。
(3)重启监听
这样设置以后,如果clients因为系统或者网络的原因在指定的时间没有连接到DB,那么Oracle会根据需要来增加连接的时间。
2 关闭超时限制
在安全上允许的情况下,设置如下参数为0以关闭连接超时的限制:
(1)修改listener.ora
INBOUND_CONNECT_TIMEOUT_<listenername>=0
(2)修改sqlnet.ora
SQLNET.INBOUND_CONNECT_TIMEOUT=0
(3)重启监听
如上两个参数的解释如下:
关于sqlnet.ora的参数SQLNET.INBOUND_CONNECT_TIMEOUT,它表示等待用户认证超时的时间,单位是秒,缺省值是60秒,如果用户认证超时了,服务器日志alert.log显示出错信息"WARNING: inbound connection timed out (ORA-3136)",sqlnet.log里面出现TNS-12535: TNS:operation timed out错误信息。
关于listener.ora的参数inbound_connect_timeout_监听器名,它表示等待用户连接请求超时的时间,单位是秒,缺省值是60秒,如果连接请求超时了,监听器日志listener.log显示出错信息"TNS-12525: TNS:listener has not received client's request in time allowed"。
查看inbound_connect_timeout值
1、查看SQLNET.INBOUND_CONNECT_TIMEOUT的设置值,一般进入$ORACLE_HOME/network/admin下,查看sqlnet.ora参数文件即可。
2、查看监听INBOUND_CONNECT_TIMEOUT参数,可以查看listener.ora参数文件。但是有时候,例如默认情况,参数文件里面没有设置这个参数,或是有些动态监听没有配置listener.ora,那么可以使用lsnrctl命令查看,如下所示:
LSNRCTL> show
The following operations are available after show
An asterisk (*) denotes a modifier or extended command:
rawmode displaymode
rules trc_file
trc_directory trc_level
log_file log_directory
log_status current_listener
inbound_connect_timeout startup_waittime
snmp_visible save_config_on_stop
dynamic_registration enable_global_dynamic_endpoint
oracle_home pid
connection_rate_limit valid_node_checking_registration
registration_invited_nodes registration_excluded_nodes
LSNRCTL> show inbound_connect_timeout
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=testoracle)(PORT=1521)))
LISTENER parameter "inbound_connect_timeout" set to 300
The command completed successfully
设置参数inbound_connect_timeout_监听器名,模拟TNS-12525: TNS:listener has not received client's request in time allowed
设置listener.ora参数文件,修改inbound_connect_timeout_<listener_name>=20
用telnet来模拟用户连接请求超时的时间,如下所示,当超过20秒,就会自动退出.
[root@ ~]# time telnet 192.10.1.2 1521
Trying 192.10.1.2...
Connected to 192.10.1.2.
Escape character is '^]'.
Connection closed by foreign host.
real 0m20.026s
user 0m0.002s
sys 0m0.000s
此时在listener.log里面,你就能看到TNS-12525的错误,如下所示:
TNS-12525: TNS:listener has not received client's request in time allowed
TNS-12535: TNS:operation timed out
TNS-12606: TNS: Application timeout occurred