Tuesday, April 12, 2016

Troubleshooting Guide ORA-3136: WARNING Inbound Connection Timed Out

Troubleshooting Guide ORA-3136: WARNING Inbound Connection Timed Out

Troubleshooting guide for "ORA-3136  WARNING inbound connection timed out" seen in the alert log.

Troubleshooting Tips:

The "WARNING: inbound connection timed out (ORA-3136)" in the alert log indicates that the client was not able to complete  the  authentication process within the period of time specified by the parameter SQLNET.INBOUND_CONNECT_TIMEOUT.

You might also see the errors ORA-12170 or TNS-12535 in the sqlnet.log that is generated on the server.
Check $ORACLE_HOME/network/log for this file.  This entry should contain client address from which the timeout originated and may be helpful in determining how to troubleshoot the issue.  Some applications or JDBC thin driver applications may not have these details.  The sqlnet.log file is not generated  by default in 11g and newer.

From 10.2.0.1 onwards the default setting for the parameter SQLNET.INBOUND_CONNECT_TIMEOUT is 60 seconds.  If the client is not able to authenticate within 60 seconds, the warning would appear in the alert log and the client connection will be terminated.

Note: This timeout restriction was introduced to combat Denial of Service (DoS) attack whereby malicious clients attempt to flood database servers with connect requests that consumes resources.

The following are the most likely reasons for this error -

-Server gets a connection request from a malicious client which is not supposed to connect to the database.  In this case the error thrown would be the expected and desirable behavior. You can get the client address for which the error was thrown in the sqlnet.log file that is local to the database.

-The server receives a valid client connection request but the client takes a long time to authenticate more than the default 60 seconds.

-The DB server is heavily loaded due to which it cannot finish the client logon within the timeout specified.

To understand what is causing this issue, following checks can be done:

The default value of 60 seconds is good enough in most conditions for the database server to authenticate a client connection. If it is taking longer, then it's worth checking the following items before implementing the workaround:

1.Check whether local connection on the database server is successful & quick.
2.If local connections are quick ,then check for underlying network delay with the help of your network administrator.
3.Check whether your Database performance has degraded in anyway.
4.Check alert log for any critical errors for eg, ORA-600 or ORA-7445 and get them  resolved first.
These critical errors might have triggered the slowness of the database server.

It is often necessary to increase the values for INBOUND CONNECT TIMEOUT at  both the listener and the database in order to resolve this issue.    It is usually advisable to set the database (sqlnet.ora) value slightly higher than the listener (listener.ora).    The authentication process is more demanding for the database than the listener.


To set these parameters to use values higher than the default of 60 seconds, follow these instructions and restart the listener.There is no need to restart Oracle:

Edit the server side sqlnet.ora file and add this parameter:

SQLNET.INBOUND_CONNECT_TIMEOUT=<n>  Where <n> is the value in seconds.

E.g.:

SQLNET.INBOUND_CONNECT_TIMEOUT = 120

Edit the listener.ora file and add this parameter:

INBOUND_CONNECT_TIMEOUT_<listenername> = <n>  Again, where <n> is the timeout value in seconds.

For example if the listener name is LISTENER then use:

INBOUND_CONNECT_TIMEOUT_LISTENER = 110

From Oracle version 10.2.0.1 onwards the default value of INBOUND_CONNECT_TIMEOUT_<listenername> is 60 seconds. For previous releases it is zero or OFF by default.

How to check whether inbound timeout is active for the listener and database server:

For example,  INBOUND_CONNECT_TIMEOUT_<listener_name> =110

You can check whether the parameter is active or not by simply doing telnet to the listener port.
$ telnet <database server IP> <listener port>
for eg.

$ telnet 123.23.23.23 1521

The telnet session should disconnect after 110 seconds which indicates that the inbound connection timeout for the listener is active.

Alternatively, check at the LSNRCTL prompt using:

LSNRCTL>set current_listener <listener_name>
LSNRCTL>show inbound_connect_timeout

To check whether database server SQLNET.INBOUND_CONNECT_TIMEOUT is active:
Eg.

SQLNET.INBOUND_CONNECT_TIMEOUT=120

a. For Dedicated server setup, enable the support level sqlnet server tracing will show the timeout value as below:

niotns: Enabling CTO, value=120000 (milliseconds) <== 120 seconds
niotns: Not enabling dead connection detection.
niotns: listener bequeathed shadow coming to life...

b. For shared Server setup,
$ telnet <database server IP> <dispatcher port>
Example.

$ telnet 123.23.23.23  51658

The telnet session should disconnect after 120 seconds which indicates that the sqlnet.inbound_connect_timeout is active.

Reference metalink Doc ID 465043.1

3 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Nada melhor do que identificar a causa raiz!
    Apos alterar os parametros de TIMEOUT já descrito, e ver que o erro persistia,
    realizado a ativação do log com mais detalhe para identificar o IP da maquina que está gerando o problema, incluindo os parametros abaixo no SQLNet.ora e reiniciando o listener.
    LOG_DIRECTORY_CLIENT = "/ora/diag/rdbms/ora11gh/ORA11GH/trace"
    LOG_FILE_CLIENT = "sqlnet.log"
    E alterar o parametro DIAG_ADR_ENABLED=ON
    No alert do trace foi coletado o IP da maquina e pelo CMD com o comando abaixo, identificamos o nome da maquina para falar com o responsavel.
    ping -a 192.168.X.Y

    ReplyDelete
  3. Dont copy & paste Oracle document.

    ReplyDelete