|
Home > Archive > SQL Anywhere database > April 2005 > Firewall configuration for ISQL
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Firewall configuration for ISQL
|
|
| Jerry Norton 2005-04-07, 8:02 pm |
| I have moved my database (8.0.2 (3601)) behind a firewall. I
can no longer access it with ISql, even though I opened the
port 2368 for both UDP and TCP.
It is a Cisco PIX firewall. I can get all other services
through. Any ideas how the connection is established? The
internal side is allowed to establish any connection it
wants. The firewall does not show that it is blocking the
packets. IF i stop port 2368, i do see the packets stopped,
so I think I have the right initial port anyway. Does it
need a secondary one? Is an internal IP address sent back in
the connection ack ? (it is static nat'd so it would be
different than the external address).
TIA
Jerry
| |
| Greg Fenton 2005-04-07, 8:02 pm |
| Jerry Norton wrote:
> I have moved my database (8.0.2 (3601)) behind a firewall. I
> can no longer access it with ISql, even though I opened the
> port 2368 for both UDP and TCP.
If your client is attempting to find the database engine using a
broadcast (the default), then because you have moved it "behind the
firewall" I suspect the broadcasts are failing to cross into the new
subdomain the database is on.
Can you post the connection string you are using with DBISQL?
You might also try this:
dbping -d -c
" uid=DBA;pwd=SQL;link
s=tcpip(host=YOUR_HO
ST_MACHINE;dobroadca
st=none)"
[replace all the upper-case parameters with your specific values].
If that string fails, then try appending " ;log=C:\SOME_LOG_FIL
E" and
post the contents of the file C:\SOME_LOG_FILE.
Hope this helps,
greg.fenton
--
Greg Fenton
Consultant, Solution Services, iAnywhere Solutions
--------
Visit the iAnywhere Solutions Developer Community
Whitepapers, TechDocs, Downloads
http://www.ianywhere.com/developer/
| |
| Jerry Norton 2005-04-09, 8:24 pm |
| I use a ODBC DSN on windows. On the tcp/ip line i have
added the dobroadcast=none right after the ip address (with
a ;)
I tried the ping, get nothing back...just 'cannot find the
server'
there is no output to the file. (names changed to protect
the innocent)
C:\Documents and Settings\admin>dbping -d -c
" uid=dba;pwd=sql;link
s=tcpip(host
=xx.yy.zz. aa;dobroadcast=none)
;eng=billing"
Adaptive Server Anywhere Server Ping Utility Version
8.0.1.3023
Ping database failed -- Database server not found.
> Jerry Norton wrote:
>
> If your client is attempting to find the database engine
> using a broadcast (the default), then because you have
> moved it "behind the firewall" I suspect the broadcasts
> are failing to cross into the new subdomain the database
> is on.
>
> Can you post the connection string you are using with
> DBISQL?
>
> You might also try this:
>
> dbping -d -c
> " uid=DBA;pwd=SQL;link
s=tcpip(host=YOUR_HO
ST_MACHINE
> ;dobroadcast=none)"
>
> [replace all the upper-case parameters with your specific
> values].
>
> If that string fails, then try appending "
> ;log=C:\SOME_LOG_FIL
E" and post the contents of the file
> C:\SOME_LOG_FILE.
>
> Hope this helps,
> greg.fenton
> --
> Greg Fenton
> Consultant, Solution Services, iAnywhere Solutions
> --------
> Visit the iAnywhere Solutions Developer Community
> Whitepapers, TechDocs, Downloads
> http://www.ianywhere.com/developer/
| |
| Greg Fenton 2005-04-09, 8:24 pm |
| Jerry Norton wrote:
> I tried the ping, get nothing back...just 'cannot find the
> server'
> there is no output to the file. (names changed to protect
> the innocent)
>
As my previous post said, you must add " ;log=C:\SOME_LOG_FIL
E" to your
connection string. This works with most (all?) ASA client libraries.
greg.fenton
--
Greg Fenton
Consultant, Solution Services, iAnywhere Solutions
--------
Visit the iAnywhere Solutions Developer Community
Whitepapers, TechDocs, Downloads
http://www.ianywhere.com/developer/
| |
| Jerry Norton 2005-04-11, 8:24 pm |
| Hi,
I did try the adding ;log=c:\dbping.txt as the last item in
the connection parameters ... within the double quotes. It
produced no output. I saw the -o option in the dbping help
section, so I tried that and did get a file created, but
same output as to console (obviously).
I am going to keep at it, this is very important. If you can
think of anything else to try, let me know.
Jerry
> Jerry Norton wrote:
>
> As my previous post said, you must add "
> ;log=C:\SOME_LOG_FIL
E" to your connection string. This
> works with most (all?) ASA client libraries.
>
> greg.fenton
> --
> Greg Fenton
> Consultant, Solution Services, iAnywhere Solutions
> --------
> Visit the iAnywhere Solutions Developer Community
> Whitepapers, TechDocs, Downloads
> http://www.ianywhere.com/developer/
| |
| Jerry Norton 2005-04-11, 8:24 pm |
| Actually, i now ran it with -z and found it wanted a name
for db to proceed to tcpip link, so i added it and got:
C:\Documents and Settings\Jerry>dbping -d -z -c
" uid=dba;pwd=sql;eng=
billing;lin
ks=tcpip(host=<ipaddressremoved> ;dobroadcast=none);l
og=c:\somelog.txt"
Adaptive Server Anywhere Server Ping Utility Version
8.0.0.2213
Application information:
" HOST=JERRY_IBM;OS=Wi
ndows XP (Service Pack
2);PID=0x13650;THREA
D=0x13654;EXE=C:
\Program Files\Sybase\SQL Anywhere
8\win32\dbping.exe;VERSION=8.0.0.2213;API=DBL
IB;TIMEZONEADJUSTMEN
T=-240"
Attempting to connect using:
UID=dba;PWD=***;ENG=
billing;DBG=YES;LOG=
c:\somelog. txt;LINKS=tcpip(host
=<ipaddress
removed>;dobroadcast=none)
Attempting to connect to a running server...
Trying to start TCPIP link ...
Loading wsock32.dll
Loading ws2_32.dll
TCP using Winsock version 2.0
My IP address is 192.168.1.35
My IP address is 127.0.0.1
TCPIP link started successfully
Attempting TCPIP connection (no asasrv.ini cached address)
Looking for server with name billing
Trying to find server at address ,removed again>
TCP/IP link, function connect(), error code 10060
Failed to connect over TCPIP
Not attempting to autostart server
Cannot connect to server
Ping database failed -- Database server not found.
I would think the NAT address of my machine is ok, since it
worked before i installed the firewall.
Jerry
> Jerry Norton wrote:
>
> As my previous post said, you must add "
> ;log=C:\SOME_LOG_FIL
E" to your connection string. This
> works with most (all?) ASA client libraries.
>
> greg.fenton
> --
> Greg Fenton
> Consultant, Solution Services, iAnywhere Solutions
> --------
> Visit the iAnywhere Solutions Developer Community
> Whitepapers, TechDocs, Downloads
> http://www.ianywhere.com/developer/
| |
| Ian McHardy 2005-04-15, 11:23 am |
| The error 10060 is WSAETIMEDOUT (a WinSock error)
"A connection attempt failed because the connected party did not properly
respond after a period of time, or established connection failed because
connected host has failed to respond."
I got the same error with
dbping -c " eng=foo;links=tcpip(
host=10.25.107.254;dobroad=none)" -z
where 10.25.107.254 was an unused address on my subnet.
So I'd recommend double checking the host address in the connection string,
then double checking the configuration of your firewall. With these
connection parameters, no UDP is involved, and ASA is just attempting to
establish a TCP/IP connection to hostname:2638. You may need to use the
clientport connection parameter. Failing that, you may want to use a packet
sniffer (we sometimes use ethereal from www.ethereal.com, which is free
software) on the server machine and see if the TCP/IP connect request is
getting there from the client.
--
Ian McHardy (iAnywhere Solutions)
Please reply only to the newsgroup.
Whitepapers, TechDocs, bug fixes are all available through the iAnywhere
Developer Community at http://www.ianywhere.com/developer
<Jerry Norton> wrote in message news:425a923c.2b3d.1681692777@sybase.com...[color=darkred]
> Actually, i now ran it with -z and found it wanted a name
> for db to proceed to tcpip link, so i added it and got:
>
> C:\Documents and Settings\Jerry>dbping -d -z -c
> " uid=dba;pwd=sql;eng=
billing;lin
> ks=tcpip(host=<ipaddressremoved> ;dobroadcast=none);l
og=c:\somelog.txt"
> Adaptive Server Anywhere Server Ping Utility Version
> 8.0.0.2213
> Application information:
> " HOST=JERRY_IBM;OS=Wi
ndows XP (Service Pack
> 2);PID=0x13650;THREA
D=0x13654;EXE=C:
> \Program Files\Sybase\SQL Anywhere
> 8\win32\dbping.exe;VERSION=8.0.0.2213;API=DBL
> IB;TIMEZONEADJUSTMEN
T=-240"
> Attempting to connect using:
> UID=dba;PWD=***;ENG=
billing;DBG=YES;LOG=
c:\somelog. txt;LINKS=tcpip(host
=<ipaddress
> removed>;dobroadcast=none)
> Attempting to connect to a running server...
> Trying to start TCPIP link ...
> Loading wsock32.dll
> Loading ws2_32.dll
> TCP using Winsock version 2.0
> My IP address is 192.168.1.35
> My IP address is 127.0.0.1
> TCPIP link started successfully
> Attempting TCPIP connection (no asasrv.ini cached address)
> Looking for server with name billing
> Trying to find server at address ,removed again>
> TCP/IP link, function connect(), error code 10060
> Failed to connect over TCPIP
> Not attempting to autostart server
> Cannot connect to server
> Ping database failed -- Database server not found.
>
> I would think the NAT address of my machine is ok, since it
> worked before i installed the firewall.
> Jerry
>
>
>
>
| |
| Jerry CTPH 2005-04-18, 1:23 pm |
| Thanks, ended up being error on the firewall, sorry.
"Ian McHardy" < mchardy_no@spam_iany
where.com> wrote in message
news:425fdef8$1@foru
ms-1-dub...
> The error 10060 is WSAETIMEDOUT (a WinSock error)
> "A connection attempt failed because the connected party did not properly
> respond after a period of time, or established connection failed because
> connected host has failed to respond."
>
> I got the same error with
> dbping -c " eng=foo;links=tcpip(
host=10.25.107.254;dobroad=none)" -z
> where 10.25.107.254 was an unused address on my subnet.
>
> So I'd recommend double checking the host address in the connection
> string, then double checking the configuration of your firewall. With
> these connection parameters, no UDP is involved, and ASA is just
> attempting to establish a TCP/IP connection to hostname:2638. You may
> need to use the clientport connection parameter. Failing that, you may
> want to use a packet sniffer (we sometimes use ethereal from
> www.ethereal.com, which is free software) on the server machine and see if
> the TCP/IP connect request is getting there from the client.
>
> --
>
> Ian McHardy (iAnywhere Solutions)
>
> Please reply only to the newsgroup.
>
> Whitepapers, TechDocs, bug fixes are all available through the iAnywhere
> Developer Community at http://www.ianywhere.com/developer
> <Jerry Norton> wrote in message
> news:425a923c.2b3d.1681692777@sybase.com...
>
>
|
|
|
|
|