ORA-12537 Overview
There’re several possible causes to raise ORA-12537:
- Incorrect File Permission
- White or Black List
ORA-12537 Caused by Incorrect File Permission
Incorrect file permission will prevent connections from being established. That is to say, potentially successful connections will be interrupted by ORA-12537 due to wrong file permissions, specifically, the execution permission. As a result, we saw the error on the client side.
For Single-instance
One simple change can reproduce ORA-12537:
[oracle@primary ~]$ ll $ORACLE_HOME/bin/oracle
-rwsr-s--x. 1 oracle oinstall 239952653 Sep 11 20:36 /u01/app/oracle/product/11.2.0/dbhome_1/bin/oracle
[oracle@primary ~]$ chmod u-x $ORACLE_HOME/bin/oracle
[oracle@primary ~]$ ll $ORACLE_HOME/bin/oracle
-rwSr-s--x. 1 oracle oinstall 239952653 Sep 11 20:36 /u01/app/oracle/product/11.2.0/dbhome_1/bin/oracle
In the above, I removed the user execution permission on $ORACLE/bin/oracle. Now let’s try to make a connection from outside.
C:\Users\edchen>sqlplus hr/hr@db11g
SQL*Plus: Release 11.2.0.4.0 Production on Tue Mar 4 19:25:51 2019
Copyright (c) 1982, 2013, Oracle. All rights reserved.
ERROR:
ORA-12537: TNS:connection closed
Enter user-name:
What we saw in listener.log can prove that the connection was established, but somehow the listener cannot hand out the connection due to permission problem.
[oracle@primary ~]$ tail -f $ORACLE_BASE/diag/tnslsnr/$(hostname -s)/listener/trace/listener.log
...
Tue Mar 04 19:25:51 2019
04-MAR-2019 19:25:51 * (CONNECT_DATA=(SERVICE_NAME=ORCL)(CID=(PROGRAM=D:\instantclient\sqlplus.exe)(HOST=MACHINE_NAME)(USER=edchen))) * (ADDRESS=(PROTOCOL=tcp)(HOST=10.1.12.123)(PORT=51385)) * establish * ORCL * 12518
TNS-12518: TNS:listener could not hand off client connection
TNS-12546: TNS:permission denied
TNS-12560: TNS:protocol adapter error
TNS-00516: Permission denied
Linux Error: 13: Permission denied
Further reading: Where is Oracle Listener Log Location
Errors in stack are all around permission problems and pointed to Linux error at the bottom.
Solution
That is, the solution is to add group permission to the file, which can rescue incoming connections from ORA-12537. Therefore, our action should be inspecting all the file permissions in $ORACLE, especially in $ORACLE_HOME/bin.
For RAC Database
After installing 11g RAC, we can test the database access, it would be successful via SCAN. But when we directly access on specific node, we found the connection failed on the second node with an error:
ORA-12537:TNS:connection closed
Generally speaking, the listener belongs to user grid, and the database belongs to user oracle in a RAC environment. Two users belong to a very special group oinstall. When we connected to the listener of the second node, the listener was acknowledged that it had no permission to access database. This could be the root cause of ORA-12537.
Let’s check some files’ permission from user grid‘s point of view.
- On the first node.
- On the second node.
$ ls -al $ORACLE_HOME/bin/oracle
-rwsr-s--x 1 oracle asmadmin 534683872 Mar 12 16:08
$ ls -al $ORACLE_HOME/bin/oracle
/oracle/database/product/11.2.0/dbhome_1/bin/oracle not found
That is to say, user grid can access oracle‘s files on the first node, but not on the second node. So we checked the following directories by user oracle on the second node:
$ cd $ORACLE_BASE
$ ls -l
total 2
drwx------ 3 oracle oinstall 96 Mar 12 16:02 admin
drwx------ 3 oracle oinstall 96 Mar 12 16:02 cfgtoollogs
drwxrwxr-x 11 oracle oinstall 1024 Mar 12 16:00 diag
drwxr-xr-x 3 oracle oinstall 96 Mar 12 16:09 product
$ cd product
$ ls -l
total 0
drwx------ 3 oracle oinstall 96 Mar 12 16:09 11.2.0
As you can see, it show that $ORACLE_BASE/product do have group permission, but $ORACLE_BASE/product/11.2.0 do not. As a result, grid cannot access the database files. That’s why we received ORA-12537 while connecting to the database.
Solution
Therefore, we should add group permission for grid to access on this directory in a cascading fashion:
$ chmod 755 11.2.0
$ ls -l
total 0
drwxr-xr-x 3 oracle oinstall 96 Mar 12 16:09 11.2.0
Now, connections are back to work. No more ORA-12537 are thrown.
Theoretically, two nodes should have symmetric structures with same permissions at the beginning. So I think it might be a bug, because I didn’t create the directory «11.2.0», OUI did.
ORA-12537 Caused by White or Black List
As I said in the above, ORA-12537 is meant for interrupting potentially successful connections. Here is another error pattern of ORA-12537.
In some cases, DBA explicitly blocks or allows some nodes listed in sqlnet.ora to limit the access to the database, which is essentially a black or white list in terms of network security. For example, we can implement a white list in sqlnet.ora like this:
TCP.VALIDNODE_CHECKING=yes
TCP.INVITED_NODES=(weblogic1.example.com, weblogic2.example.com, 10.10.0.0/16)
Solution
Make sure you are in the white list. Otherwise you might get ORA-12537 when you connect to the database.
For those who want to implement black lists, TCP.EXCLUDED_NODES parameter should be in sqlnet.ora.
Further reading: TNSPING Errors Collections
May 7, 2020
Hi,
Sometimes You can get “ORA-12537: TNS:connection closed” error.
Details of error are as follows.
TNS-00584: Valid node checking configuration error Cause: Valid node checking specific Oracle Net configuration is invalid. Action: Ensure the hosts specified in the “invited_nodes” and “excluded_nodes” are valid. For further details, turn on tracing and reexecute the operation. (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=1521))) TNS-12532: TNS:invalid argument TNS-12560: TNS:protocol adapter error TNS-502: Invalid argument 32-bit Windows Error: 515: Unknown error Error listening on: (ADDRESS=(PROTOCOL=TCP)(Host=<hostname>)(Port=1562)) TNS-12560: TNS:protocol adapter error TNS-00584: Valid node checking configuration error Connecting to (ADDRESS=(PROTOCOL=TCP)(Host=hostname)(Port=1521)) TNS-12537: TNS:connection closed TNS-12560: TNS:protocol adapter error TNS-00507: Connection closed
This error is related with the Permission or ownership or group permission, so check them if they are ok or not.
Check permission.
[oracle@msdbadm01 ~]$ ll $ORACLE_HOME/bin/oracle -rwsr-s--x. 1 oracle oinstall 239952653 Sep 11 20:36 /u01/app/oracle/product/12.1.2/dbhome_1/bin/oracle
Revoke the user execution permission from $ORACLE/bin/oracle as follows.
[oracle@msdbadm01 ~]$ chmod 6751 $ORACLE_HOME/bin/oracle [oracle@msdbadm01 ~]$ ll $ORACLE_HOME/bin/oracle -rwSr-s--x. 1 oracle oinstall 239952653 Sep 11 20:36 /u01/app/oracle/product/12.1.2/dbhome_1/bin/oracle
Or the second case of this error is as follows.
There is an invalid hostname in the TCP.INVITED_NODES list in the sqlnet.ora file.
Oracle no longer allows the listener to startup if an invalid hostname or ip address is specified in the invited_nodes list. The listener will not start if any of the hosts or ip addresses are note resolvable. The only solution to this issue is to ensure that all the hostnames and ip addresses in the invited nodes list are resolvable using ping or nslookup from the host where the listener is starting.
In some cases, the localhost might cause this behavior.
To solve this error, go to sqlnet.ora and check and fix the right INVITED_NODES IP as follows,
[oracle@msdbadm01 ~]$ cd $ORACLE_HOME/network/admin [oracle@msdbadm01 admin]$ vi sqlnet.ora TCP.INVITED_NODES=(localhost, <IP ADDRESS>) TCP.VALIDNODE_CHECKING = YES TCP.INVITED_NODES = (192.168.63.34,192.168.63.35,192.168.63.36)
Do you want to learn more details about RMAN, then read the following articles.
https://ittutorial.org/rman-backup-restore-and-recovery-tutorials-for-beginners-in-the-oracle-database/
About Mehmet Salih Deveci
I am Founder of SysDBASoft IT and IT Tutorial and Certified Expert about Oracle & SQL Server database, Goldengate, Exadata Machine, Oracle Database Appliance administrator with 10+years experience.I have OCA, OCP, OCE RAC Expert Certificates I have worked 100+ Banking, Insurance, Finance, Telco and etc. clients as a Consultant, Insource or Outsource.I have done 200+ Operations in this clients such as Exadata Installation & PoC & Migration & Upgrade, Oracle & SQL Server Database Upgrade, Oracle RAC Installation, SQL Server AlwaysOn Installation, Database Migration, Disaster Recovery, Backup Restore, Performance Tuning, Periodic Healthchecks.I have done 2000+ Table replication with Goldengate or SQL Server Replication tool for DWH Databases in many clients.If you need Oracle DBA, SQL Server DBA, APPS DBA, Exadata, Goldengate, EBS Consultancy and Training you can send my email adress [email protected].- -Oracle DBA, SQL Server DBA, APPS DBA, Exadata, Goldengate, EBS ve linux Danışmanlık ve Eğitim için [email protected] a mail atabilirsiniz.
ORA-12537: TNS: Connection Closed Error
Oracle’s ability to be customized with deep mechanics in regards to the construction of company databases is one of many reasons that it has become so prevalent in corporations today. Due in part to the complex nature of Oracle database structures, occasionally errors can arise, some of which carry a string of causes and additional problems. The ORA-12537 connection closed error is an example of one of these types of issues that is associated with an assortment of causes and potential outcomes. Let us look at some of these initial triggers for the error and see what can be done to counter them so databases can be returned to full functionality.
The Problem
The ORA-12537 is defined as an informational error, a message error triggered alongside a secondary error that typically offers the true programming issue. Oracle docs describes the cause as “a normal end-of-file condition being reached; partner has been disconnected”. It can occasionally relate to configuration issues in the sqlnet.ora, listerner.ora files or the protocol.ora. Furthermore, the error can derive from the firewall in a network being disconnected due to idling connections.
Another potential cause is that a path name is too long for the Oracle TNS client. Just as well, there is a common bug in Oracle known as 1566794: CONNECTIONS FAIL WITH ORA-12537 WHEN USE_SHARED_SOCKET IS SET IN 8.1.7. The resolution to this condition is to set the USED_SHARED_SOCKET parameter to FALSE.
The error can also occur if the user has listed a 10g database SID with a 9i listener, which can create the problem because of invalid inter-version connections. Additionally, the user can generate an ORA-12537 error in Oracle Apps 11i due to an eBusiness Suite security feature.
One final cause of the error is when the Tnsping Net Service name fails with the TNS-12537. This occurs because the Sqlnet.ora file parameter TCP.VALIDNODE_CHECKING is enabled and TCP.INVITEDNODES is set to a specific IP’s of the client machine. These parameters are enable by default in the Oracle Apps Installation.
The Solution
An initial step for taking on this error is to of course check your records and see what events transpired just prior to the occurrence of the event. From there, the user should attempt to verify that all service names match between the listener and the remote client connect strings. In the event that the firewall was disconnected to due idleness, check the idling parameters across your system and adjust them to reflect the networks usage.
For a path name that is too large, install the exe in a shorter named directory. The user can also modify the TNS Names entry so that it is a bit shorter, they can remove parameters from the entry that are largely unnecessary and they could replace domain names with IP addresses in the event that they shorten things up. When the error is prompted by the aforementioned eBusiness Suite security feature, the solution is to edit your sqlnet.ora file to include the client IP address in the tcp.invited_nodes = (hostname, etc.).
Lastly, to correct the TNSping Net Service name fails error, the user can disable these parameters in the Sqlnet.ora. The user can also add the client machine’s IP address in the TCP.INVITEDNODES list.
Looking forward
As can be seen from above, there are numerous causes of the ORA-12537. With that said, the user can make a couple of adjustments to offset this error. Maintaining an awareness of parameters that are enabled and noting idle times across the network can go a long way in preventing not just this error, but a number of problems within Oracle. Another slight modification to be made is keeping the programming as neat and concise as possible. Working to eliminate long strings of domain names and code is a strong discipline to instill in the database programming process. For more information about these methods, it would is advised to speak with a licensed Oracle consultant.
I’m facing the following error when trying to make a connection to oracle always free database.
Failed to connect: { [Error: ORA-12537: TNS:connection closed] errorNum: 12537, offset: 0 }
Here is my script:
const oracledb = require('oracledb');
console.log('Getting connection');
let connection = oracledb.getConnection({
user: 'ADMIN',
password: '*****',
connectString: '*****'
}).then(() => {
console.log('Connection established');
}).catch((err) => {
console.log('Failed to connect: ', err);
});
Here are my version strings:
> process.platform
win32
> process.version
v10.16.3
> process.arch
x64
> require('oracledb').versionString
'4.0.1'
I’m trying to connect to Autonomous Transaction Processing Instance from Oracle Always Free cloud with database version 18c.
Thanks for taking the time to read this. Do let me know if more info is required from me.
From the Cloud GUI page for your database, click ‘DB Connection’ to download the Client Credentials wallet.
Enter a new wallet password when prompted — this will not actually be needed for use with node-oracledb.
Unzip wallet.zip and edit sqlnet.ora. Set DIRECTORY to the directory with the extracted files. Keep the files safe. For node-oracledb you only need cwallet.sso, sqlnet.ora, and tnsnames.ora
Or don’t edit sqlnet. if you put the extracted files in a default location like instantclient_19_3/network/admin. In this case there is also no need to set TNS_ADMIN
$ export TNS_ADMIN=/Users/cjones/q/Cloud/alwaysfree
$ sqlplus -l admin@cjdb1_high
SQL*Plus: Release 19.0.0.0.0 - Production on Sun Oct 27 11:11:52 2019
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Enter password:
Last Successful login time: Sun Oct 27 2019 11:07:38 +11:00
Connected to:
Oracle Database 18c Enterprise Edition Release 18.0.0.0.0 - Production
Version 18.4.0.0.0
SQL ADMIN@cjdb1_high>
The next stage would be to create a normal (non admin) user to mess around with. Something like this:
define USERNAME = cj
begin execute immediate 'drop user &USERNAME cascade'; exception when others then if sqlcode <> -1918 then raise; end if; end;
/
create user &USERNAME;
alter user &USERNAME
default tablespace data
temporary tablespace temp
account unlock
quota unlimited on data;
grant connect
, resource
to &USERNAME;
grant create session
, create table
, create procedure
, create sequence
, create trigger
, create view
, create synonym
, alter session
, create type
, soda_app
to &USERNAME;
password &USERNAME
I’m working on a blog post for this.
I did as you mentioned and then I used the newly created username and password in oracledb.getConnection(). The error remains the same. Am I missing something?
FIrewalls, typos, proxies?
I’m not using any proxies and turning off all firewalls didn’t change a thing. Rechecked my username and password multiple times. I’m able to connect through SQL developer but not through oracledb in nodejs. Is it possible to turn on additional logging to know what is causing this problem, because my instance is certainly on as I’m able to connect to it through other means?
Start by giving us actual screen logs (not screen shots — please) of a terminal window showing the listing of the directory with the wallet, the contents in sqlnet.ora, you setting TNS_ADMIN (if you don’t use a default location for the wallet files), showing PATH containing the Instant Client libraries, and then running Nodejs
Sure. Here’s the directory listing of the wallet placed inside network/admin of instant client.
Volume in drive C is Windows-SSD
Volume Serial Number is 94D1-6E5D
Directory of C:\oracle\instantclient-basic-windows.x64-19.3.0.0.0dbru\instantclient_19_3\network\admin
10/27/2019 08:54 AM <DIR> .
10/27/2019 08:54 AM <DIR> ..
10/27/2019 08:53 AM 6,661 cwallet.sso
10/27/2019 08:53 AM 6,616 ewallet.p12
10/27/2019 08:53 AM 3,241 keystore.jks
10/27/2019 08:53 AM 87 ojdbc.properties
10/27/2019 08:53 AM 114 sqlnet.ora
10/27/2019 08:53 AM 1,786 tnsnames.ora
10/27/2019 08:53 AM 3,335 truststore.jks
7 File(s) 21,840 bytes
2 Dir(s) 358,877,769,728 bytes free
Contents of sqlnet.ora file:
WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY="?/network/admin")))
SSL_SERVER_DN_MATCH=yes
My path:
echo %PATH%
-----;C:\oracle\instantclient-basic-windows.x64-19.3.0.0.0dbru\instantclient_19_3;-----
Contents of temp.js
const oracledb = require('oracledb');
console.log('Getting connection');
let connection = oracledb.getConnection({
user: 'DUMMY',
password: 'Dummy1@Password',
connectString: 'adb.uk-london-1.oraclecloud.com:1522/**************_tp.atp.oraclecloud.com'
}).then((res) => {
console.log('Connection established:', res);
}).catch((err) => {
console.log('Failed to connect: ', err);
});
node temp.js
Getting connection
Failed to connect: { [Error: ORA-12537: TNS:connection closed] errorNum: 12537, offset: 0 }
Really stuck on this for a couple of days now. I’ve recently started with the oracle database and the worst part is that I remember it connecting previously. Thanks again for taking your time going through this issue. Highly appreciated.
@dmcghan Thanks a ton mate! Your video was really clear and helpful in explaining what to do and why we’re doing it. Great content!
@a1diablo Was updating sqlnet.ora really necessary as part of your solution? The string «?/network/admin» should be being expanded by the Oracle net code to (in your case) C:\oracle\instantclient-basic-windows.x64-19.3.0.0.0dbru\instantclient_19_3\network\admin
@cjbj Not really. What I understood from the behavior was, that I cannot use connect strings directly in nodejs code. I had to use the name from tnsnames.ora and set TNS_ADMIN as the path of the wallet contents; only then it would work.
Since your wallet was in the default directory C:\oracle\instantclient-basic-windows.x64-19.3.0.0.0dbru\instantclient_19_3\network\admin you don’t need to set TNS_ADMIN or edit sqlnet.ora
- Remove From My Forums
-
Question
-
User-541003552 posted
Please can anyone help me with the below error. What do i need to do
ORA-12537: TNS:connection closed at System.Data.OracleClient.OracleException.Check(OciErrorHandle errorHandle, Int32 rc) at System.Data.OracleClient.OracleInternalConnection.OpenOnLocalTransaction(String userName, String password, String serverName, Boolean integratedSecurity, Boolean unicode, Boolean omitOracleConnectionName) at System.Data.OracleClient.OracleInternalConnection..ctor(OracleConnectionString connectionOptions)
Answers
-
User281315223 posted
It’s been quite some time since I’ve interacted with any kind of Oracle environments, but you could possibly clean up your code a bit and hopefully prevent some unexpected behavior from your connections using «using» statements :
protected void AccountDetails() { try { // Assumes that strOraTEST is your connection string using(var objConn = new OracleConnection(strOraTEST)) { // Build your command to execute using(var objCmd = new OracleCommand("GET_ID", objConn)) { // Open your connection objConn.Open(); // Indicate this is a stored procedure objCmd.CommandType = CommandType.StoredProcedure; // Set up your parameters objCmd.Parameters.AddWithValue("NO","02001"); objCmd.Parameters.Add("ID", OracleType.VarChar2, 7).Direction = ParameterDirection.Output; // Execute your query objCmd.ExecuteNonQuery(); // Attempt to get your result Message.Text = Convert.ToString(objCmd.Parameters["ID"].Value); } } } catch (Exception ex) { // Otherwise, something went wrong Message.Text = ex.Message + "\r\n" + ex.StackTrace; } }-
Marked as answer by
Thursday, October 7, 2021 12:00 AM
-
Marked as answer by