Problem with conntrack idle connection timeout

Problem with conntrack idle connection timeout

[Manuel Marquez]

Greetings to you all,

I have been looking for a solution to a problem one of our clients has
regarding a netfilter firewall and Oracle. I would very much appreciate
any help on this.

We have a linux firewall with 3 network interfaces:
	-Internet interface to connect to the router
	-Inner LAN to hold all the Windows PCs, etc.
	-DMZ

They have connected a Tomcat 5 application server to the DMZ network and
the corresponding Oracle database server into the inner LAN.

The problem is the use a JDBC connection pool and (I think) the linux
firewall drops the pool connections after about 600 seconds of idle
time. They can change the pool to make it reconnect whenever this
happens, but they are planning to set up another interface (backend
network) and move the oracle server there. If they did this, sqlplus and
oracle forms would also get disconnected after this idle period (they
have made tests with the same results on an oracle server connected to
the DMZ). It also happens with SSH connections to the application
(Tomcat 5) server.


We have been testing the
/proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout since we guess
its the conntrack module which closes the connection, but although we
set up a value of more than 600 seconds, connections keep getting closed.

What I would like to know is which netfilter (or linux TCP/IP stack)
timer is expiring and/or if there is a means of maintaining these idle
connections open. We tested the /proc/sys/net/ipv4/tcp_keepalive_time
flag, but it does not work (maybe the firewall is dropping these tcp
packets too).

I have googled long time for an answer, but I only found some people
with similar problems. Some of them suggest the use of "ipchains -M -S",
but since we use netfilter, this does not help.

Thanks in advance for your help

Manuel Marquez Garrido

Re: Problem with conntrack idle connection timeout

[KOVACS Krisztian]

  Hi,

On Friday 04 November 2005 16.19, Manuel Marquez wrote:
> The problem is the use a JDBC connection pool and (I think) the linux
> firewall drops the pool connections after about 600 seconds of idle
> time. They can change the pool to make it reconnect whenever this
> happens, but they are planning to set up another interface (backend
> network) and move the oracle server there. If they did this, sqlplus
> and oracle forms would also get disconnected after this idle period
> (they have made tests with the same results on an oracle server
> connected to the DMZ). It also happens with SSH connections to the
> application (Tomcat 5) server.

  Then there must be some other problem which is not directly related to 
TCP timeout values in Netfilter. If connection tracking is working 
properly, established TCP connections will time out only after five 
days.

  A somewhat more detailed inspection of the firewall ruleset could help 
you identifying the portion of the ruleset where the packets get 
dropped. (A couple of well placed LOG rules can do a wonder.) BTW, you 
did not even mention what version of Linux is running on the firewall.

-- 
 Regards,
  Krisztian Kovacs