Re: [fw-wiz] Cisco ASA firewall: SQLnet inspection: buffer limit


Try disabling the inspection.

policy-map global_policy
class inspection_default
no inspect sqlnet

Your policy-map name and class name may be different.

On Thu, Jan 15, 2009 at 5:27 AM, Haim [Howard] Roman <roman@xxxxxxxxx>wrote:

Some friends have a Cisco ASA firewall, firmware version 8.0.4. Behind the
firewall is a Oracle database.

This firewall has an SQLnet inspection feature. However, the packet
reassembly buffer has a limit of 8 kbytes. Many of the SQL queries are
bigger than this, and they get blocked. Is there a way to increase this?
(not sure how big they need). In the meantime, they have to disable this


Haim (Howard) Roman
Computer Center, Jerusalem College of Technology

firewall-wizards mailing list

Relevant Pages

  • Re: What do you think of my acces list?
    ... These ACEs would not be necessary if you were using "inspection" on an internal interface to provision the return path (temporary dynamic holes in the firewall). ... " permit udp any eq domain any " ... If you were trying to accommodate DNS "responses" resulting from queries initiated by internal clients, I would have expected the generic UDP inspection to provision the return path for this return traffic. ...
  • Re: [fw-wiz] Firewalls that generate new packets..
    ... depend upon either statelessness or guessing the next sequence ... than a "stateful" firewall. ... Is "deep packet inspection" stream inspection? ... I am not convinced that the vendors that are selling "deep packet ...
  • Re: [fw-wiz] Firewalls that generate new packets..
    ... behind the firewall then it's a layer-7 problem for the service ... regexp match causes packet drop ... is exactly why I used the term "placebo" for "stateful ... inspection"; accupuncture patients report the same degree ...
  • Re: Kerio PFW 2.14 - Safe?
    ... If Kerio 2.14/5 states it's stateful, ... inspection is a type of inspection... ... the rules set the firewall applies. ...