CMAN: ORA-12529: TNS:connect Request Rejected Based On Current Filtering Rules (Doc ID 2001767.1)       

In this Document

Symptoms

Cause

Solution

APPLIES TO:

Oracle Net Services - Version 11.2.0.4 to 12.1.0.2 [Release 11.2 to 12.1]

Information in this document applies to any platform.

SYMPTOMS

Attempting to use a CMAN proxy in an environment with a NAT (Network Address Translator)

Remote client connections are failing with this message:

C:\Users\admn1715>sqlplus system/xxxxxx@MYORCL

SQL*Plus: Release 11.2.0.4.0 Production on Tue Apr 14 18:26:41 2015

Copyright (c) 1982, 2013, Oracle. All rights reserved.

ERROR:

ORA-12564: TNS:connection refused

Might also return:

TNS-12529: TNS:connect request rejected based on current filtering rules

The CMGW trace shows:

[15-APR-2015 17:56:21:922] nspsend: transport write error

[15-APR-2015 17:56:21:922] nspsend: error exit

[15-APR-2015 17:56:21:922] nscon: error sending NSPTCN packet

[15-APR-2015 17:56:21:922] nserror: entry

[15-APR-2015 17:56:21:922] nserror: nsres: id=3, op=67, ns=12571, ns2=12560; nt[0]=505, nt[1]=110, nt[2]=0; ora[0]=0, ora[1]=0, ora[2]=0

[15-APR-2015 17:56:21:922] nscon: exit (-1)

[15-APR-2015 17:56:21:922] nsdo: nsctxrnk=0

[15-APR-2015 17:56:21:922] nsdo: error exit

[15-APR-2015 17:56:21:922] nsclose: entry

CAUSE

The database server's hostname is not resolvable to the CMAN server.

Tested the following from the CMAN server to the Database server: (FQDN is ok, shortname is not resolvable)

tnsping "(address=(host=DB Hostname here)(port=1521)(protocol=tcp))".

Attempting to contact (address=(host=DB Hostname here)(port=1521)(protocol=tcp))

TNS-12535: TNS:operation timed out

Tnsping issued from CMAN server shows no route to db server using shortname.

Customer reports that FQDN is ok:

This works

tnsping "(address=(host=DB Hostname here.example.com)(port=1521)(protocol=tcp))"<===Fully qualified name is resolvable at CMAN host.

TNS Ping Utility for Linux: Version 11.2.0.4.0 - Production on 16-APR-2015 19:36:07

Copyright (c) 1997, 2013, Oracle. All rights reserved.

Attempting to contact (address=(host=DB Hostname here.example.com)(port=1521)(protocol=tcp))

OK (0 msec)

Note the previous result.   A timeout is thrown when the tnsping is issued from the CMAN server to the database listener address.

Confirmed that the DB server listener is returning the shortname in the redirect packet:

[15-APR-2015 17:55:18:921] nsc2addr: (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=MYORCL.COM)(SERVER=DEDICATED)(CID=(PROGRAM=C:\oracle_local\instantclient-basic-windows.x64-11.2.0.4.0\instantclient_11_2\sqlplus.exe)(HOST=client host)(USER=admin))(INSTANCE_NAME=MYORCL))(address= (host=DB Hostname here) (port=1521)(protocol=tcp))(SOURCE_ROUTE=YES)(HOP_COUNT=1))

[15-APR-2015 17:55:18:921] nttbnd2addr: entry

Note this portion:

(address=(host=DB Hostname here)(port=1521)(protocol=tcp))(SOURCE_ROUTE=YES)(HOP_COUNT=1))

SOLUTION

Make the following change to the LOCAL_LISTENER setting so that the HOST field is populated with the FQDN.

Log in to the instance and issue the following so that the HOST field is populated with the FQDN:

alter system set LOCAL_LISTENER="(address=(host=hostname.example.com)(port=1521)(protocol=tcp))" scope=both sid='MYORCL';

Once this is done, issue the CMCTL show services again and confirm that the FQDN is showing up here:

Service "MYORCL.COM" has 1 instance(s).

Instance "MYORCL", status READY, has 1 handler(s) for this service...

Handler(s):

  "DEDICATED" established:0 refused:0 state:ready

  REMOTE SERVER

  (address=(host=hostname.example.com)(port=1521)(protocol=tcp)) <===Now we see FQDN in CMCTL services output.