After inactive connections are closed between Enforce Server and its Oracle database instance, connectivity from Enforce to the Cloud Service Gateway is being interrupted.

Release : 16.0

A limitation in our Enforce Server management console was allowing connections to go inactive and when these were closed by network firewall the Enforce Server lost connectivity to the Cloud Service until services were restarted.

A fix available in DLP 16.0 MP2 enables connections to be configured to closed by our Java processes, after a set period of inactivity.

This should prevent interruptions to established connections such as those from the Enforce Server, to Oracle Database, as well as to the Cloud Service.

Symantec Data Loss Prevention 16.0 MP2 introduces the new CONNPOOL_INACTIVE_TIMEOUT property that you can configure in the ConnectionPool.properties file on the Enforce Server.

To alter the currently problematic behavior of infinite idle connections, you can alter the ConnectionPool.properties value as suggested below - updating the settings shown in green:

# Properties file for use by Oracle-THIN Connection Pool.# The minimum number of connections that can remain idle in the pool, without extra ones being created, or zero to create none
CONNPOOL_MIN_LIMIT=10
# The maximum number of active connections that can be allocated from this pool at the same time, or non-positive for no limit
CONNPOOL_MAX_LIMIT=50
# The maximum number of milliseconds that the pool will wait (when there are no available connections) for a connection to be returned, or -1 to wait indefinitely
CONNPOOL_MAX_WAIT=2000
# Inactive connection timeout in seconds, how long an available connection remains in the connection pool before it is removed from the pool
CONNPOOL_INACTIVE_TIMEOUT=0

The last setting in bold is a new option in 16.0 MP2 and later. The default setting of "0" means idle connections never close.

To implement this new option:

1. Confirm how long inactive connections on your network are allowed to persist before being killed as idle connections.
2. Then set the CONNPOOL_INACTIVE_TIMEOUT to something shorter than that allowance. E.g., if your firewall closes connections after 60 minutes when they are inactive or idle, changing the CONNPOOL_INACTIVE_TIMEOUT setting to "1800" seconds (30 minutes) means that DLP will forcibly close its own idle connections after 30 minutes, and re-open them as needed.
3. In addition, lower the CONNPOOL_MIN_LIMIT from the default of "10" to "1" means that DLP will only keep 1 connection open that will remain idle. This will allow the system to get rid of all idle connections down to a single remaining one as necessary.

This setting is only available to customers on DLP version 16.0 MP2 and after.

This KB is to supplement the new feature which is written up as a Help Center topic:

New Connection Pool Property for Detection Servers (broadcom.com)