Listener related questions:-
1.Can we manually force a particular scan ip (out of the three) to relocate on a particular host (lets say – on node 5 of 5 node RAC) ?
srvctl relocate scan_LISTENER -i 1 -n node1
$ srvctl relocate scan -h
Usage: srvctl relocate scan -i <ordinal_number> [-n <node_name>]
-i <scan_ordinal_number> Ordinal number of IP address
-n <node_name> SCAN VIP node name
-h Print usage
2.Does scan actually performs connection load balancing?
Yes, it does. The LREG process of each instance registers the database service with the local listener as well as all the SCAN listeners (typically they are specified by the parameter: REMOTE_LISTENER). When a connection request gets routed to a particular SCAN listener, then the SCAN listener does a quick calculation to find out the least loaded node, and once it gets that information, it sends the address of the local listener on that node back to the client to establish the connection. That is how load balancing is done by the SCAN listeners.
For clients connecting using SCAN, three IP addresses will be received by the client by resolving the SCAN name through DNS as discussed. The client will then go through the list it receives from the DNS and try connecting through one of the IPs received. If the client receives an error, it will try the other addresses before returning an error to the user or application. This is similar to how client connection failover works in previous releases when an address list is provided in the client connection string.
When a SCAN Listener receives a connection request, the SCAN Listener will check for the least loaded instance providing the requested service. It will then re-direct the connection request to the local listener on the node where the least loaded instance is running. Subsequently, the client will
be given the address of the local listener. The local listener will finally create the connection to the database instance.
3.Is having odd number of Scan listener a recommended practice?
No, it’s not a recommended practice. The only thing Oracle recommends is that the SCAN resolves to three VIP addresses, to provide high availability and scalability . If the SCAN resolves to three addresses, then three SCAN VIPs and three SCAN listeners are created. Each SCAN listener depends on its corresponding SCAN VIP. The SCAN listeners cannot start until the SCAN VIP is available on a node.
Normally 3 SCANs are capable enough to handle hundreds of new connections in a span of few seconds.
Still if you feel that default 3 SCAN listeners are not enough for your environment then you have an option to add few more scan listeners.
GNS based dynamic IP scheme still has no way to change number of SCAN listeners in your environment.
4.What is listener and why we used it?
Listener is a process that resides on the server whose responsibility is to listen for incoming client connection requests and manage the traffic to the server.Every time a client requests a network session with a server, a listener receives the actual request. If the client information matches the listener information, then the listener grants a connection to the server.
5.Difference between local listener and remote listener?
LOCAL_LISTENER on each node should point to the listener on that node. REMOTE_LISTENER should point to all listeners on all nodes if you want server side load balancing, otherwise don’t set REMOTE_LISTENER.
the purpose of REMOTE_LISTENER is to connect all instances with all listeners so the instances can propagate their load balance advisories to all listeners. if you connect to a listener, this listener uses the advisories to decide who should service your connect. if the listener decides its local instance(s) are least loaded and should service your connect it passes your connect to the local instance. if the node you connected to is overloaded,
the listener can use TNS redirect to redirect your connect a less loaded instance.
6.Difference between static and dynamic listeners
7.What is listener poisoning?Ans:-
The TNS Poison attack was first described in 2015 as a type of man-in-the-middle attack. Legitimate user session are hijacked and the routed to an attackers server.
Note: If you set set dynamic_registration_listener=
The Internet posts note that the TNS poison attack will be fixed in Oracle 12c but there are several workarounds for this alleged vulnerability.
These notes describe the TNS poison attack and the current workarounds:
Switch off dynamic registration:
switch off dynamic registration by setting dynamic_registration_LISTENER_
Using Class of Secure Transport on single inctance databases
Oracle recommend to set class of secure transportation to restrict instance registration to the local system. This parameter is available since Oracle 10.2.0.3 and can be implemented according to MOS Note 1453883.1
Using Class of Secure Transport in Oracle RAC
For RAC the use of COST is a bit more complex and require to configure SSL/TCPS. This is as well only possible for Oracle 10.2.0.3 and newer. It can be implemented according to MOS Note 1340831.1
Limit Network Access
Start using valid node checking to limit access to listener to certain IP addresses.
TCP.VALIDNODE_CHECKING = YES
TCP.INVITED_NODE = (Comma separated list OF ALL valid, clients)
Limit Network Access on the network
As an alternative limit network access to certain listener on the network layer e.g. network segmentation, firewalls etc.
8.How to secure listener file with password
9.How to setup listeners if firewall is enabled
10.Each node have its own listener as VIP n 3 scan listener?
No, each node has its own local listener and there are three SCAN listeners. The three SCAN listeners may reside on any node literally. In a two node RAC cluster, one node may host one SCAN listener, while the other node may host the other two SCAN listeners, however, in a four node RAC cluster (say), the SCAN listeners may be bunched in two nodes, while the two other nodes may not be hosting any SCAN listener.
11.How scan listener decides that which node is less loaded, from where it gets the load information?
The Listener Registration process (LREG) provides information such as the service name, instance names, and workload information to the listeners. This feature is called service registration. That is how workload related information is transmitted to the SCAN listener.
12.Is it prerequisites to disable firewall if listeners need to work
13.Does dynamic registration can lead to security risk?
14.Should listener run on Default port 1521 or non default port. Which one is the best practice?
15.How to find out how many connections a listener refused vs how many serviced?
16.MTS on standalone database
17.What happens if listener log file grows
18.Why pmon starts first during bringing up a database?
19.How many SCAN IP need for 8 node RAC?
20.what is rate_limit ?
Connection rate limiter feature in the Oracle Net Listener enables to limit the number of new connections handled by the listener.
When this feature is enabled, Oracle Net Listener imposes a user-specified maximum limit on the number of new connections handled by the listener every second.
21.In which circumstance rate_limit will be implemented what are pros and cons?
We can set the rate_limit
a) Prevent denial-of-service attacks by limiting the number of incoming connections.
b) Prevent your database being flooded by new requests like malicious attack./bugs or bad coding practices / “logon storms”
Slow connect time and little tnsping responce time high.
22.What is benefit of LREG process?
The listener registration process (LREG) registers information about the database instance and dispatcher processes with the Oracle Net Listener.
When an instance starts, LREG polls the listener to determine whether it is running. If the listener is running, then LREG passes it relevant parameters. If it is not running, then LREG periodically attempts to contact it.