Had an interesting problem today involving firewalls and the SCAN listener (Oracle Clusterware 11.2+).
The client was reporting the following error from the application server:
TNS-12502: TNS:listener received no CONNECT_DATA from client
Check the Validity of the TNS String
The obvious place to start was to check the validity of the TNS string. This was correct. I could use
sqlplus on that TNS string without any problems from my PC.
Since I could connect directly to the database instance from my PC, then I could say that the SQL*Net path from the SCAN listeners to the database instance was working fine. This was also borne out by Cloud Control reporting that the database instance was active.
The client tested the connectivity from the application server to each of the IP addresses used by the SCAN listeners by using:
telnet db-scan-vip1 1521
This worked satisfactorily.
Checking the Listener Logs
I had to check the following four (4) logs:
- LISTENER on the host where the database instance was active.
The first three (3) all show successful connection requests from my PC and the application server.
However, the last one only showed a connection request from my PC. There were no connection requests logged from the application server.
It turns out that the firewalls were opened up for the link between the application server and the IP addresses used by the SCAN listeners, but NOT for the local listeners on each host of the cluster.
My PC had access to all listener addresses.