locked
Firewall dropping mirroring requests RRS feed

  • Question

  • I'm setting up database mirroring for one of our applications in the amazon cloud to a database that lives in my datacenter using High-performance mode.  I am aware that database mirroring over a WAN is not recommended/supported/suggested but it is what I'm being asked to do and my suggestions are not being entertained.  Both servers are running SQL Server 2008 r2.  I take a backup of the database in the cloud and transfer it to my network.  Then I restore it with the NORECOVERY option.  I've followed the procedure listed at http://msdn.microsoft.com/en-us/library/ms191140.aspx.  The only difference is the port selection.  I'm mirroring on port 5025 because 5022 is already in use (go figure).  When I run

     

    ALTER DATABASE MyDB
        SET PARTNER = 'TCP://MyMirrorHost.Mydomain.com:5025';

     

    on the mirror, the command completes without error.  However, when I run

     

    ALTER DATABASE MyDB
        SET PARTNER = 'TCP://MyPrincipalHost.Mydomain.com:5025';

     

    On the principal, I get this error:

    The server network address “TCP://MyPrincipalHost.Mydomain.com:5025″ can not be reached or does not exist. Check the network address name and that the ports for the local and remote endpoints are operational. (Microsoft SQL Server, Error: 1418)

    After troubleshooting, I was able to trace the problem to my Sonicwall Pro 4060.  It is dropping the connections for some reason.  This is the error from the firewall's logs:

    09/15/2011 14:53:16.400 - Notice - Network Access - TCP connection dropped -  xxx.xxx.xxx.xxx (source), 49590, X1 -  xxx.xxx.xxx.xxx (destination), 5025, X1 - 

    The only problem I can see is that the source port is not 5025, which is the port that I've exposed for the listener.  The source port also seems to change every time I issue the SET PARTNER command.  The firewall has dropped connections with source ports of 49590, 49568, 49558,49537, 49524, 49509, 49502, 49496, 49491, 49479, 49457, etc.  All the source ports seem to be in the 49000 range but I'm not sure just how big a range these requests are able to come from.  Unfortunately, I am not aware of a way to specify that these requests can come from any source port with this particular firewall.  To test my theory that the problem is the constantly changing source port, I opened all TCP ports, 1-65535, in the firewall and mirroring worked perfectly.  I promptly closed those open ports as soon as I verified it was working.  My question now is, can these connection attempts from the principle server come from any port or is there a range that I can expose in the firewall?  Also, is there a way to specify the port from which these connection attempts are made?

     

    Thanks,

     

    Matt




    • Edited by Matt Mulqueen Friday, September 16, 2011 5:01 PM
    • Moved by Tom Phillips Friday, September 16, 2011 7:23 PM Database Mirror question (From:SQL Server Database Engine)
    Friday, September 16, 2011 4:45 PM

Answers

  • I've answered my own question.  I used port 5025 on both of the end points which, despite all the examples from Microsoft doing so as well, seems to be a no no.  I guess you can't listen and transmit using the same port.  Anyway, on the principal, I used port 5025 for the listener and, on the mirror, I used port 5026.  I opened just port 5026 in the firewall and it worked like a charm.
    Friday, September 16, 2011 7:25 PM