Resolving ORA-12537 and TNS-12649 During Database Connections

Posted by

 

Sometimes a database connection using a statically registered listener service may fail unexpectedly with an error similar to the following: 
 
sqlplus sys/password@//server01:1521/TESTDB

Connection result:

ERROR:
ORA-12537: TNS:connection closed

At the same time, the database alert log usually records additional Oracle Net errors:

Fatal NI connect error 12649
TNS-12649: Unknown encryption or data integrity algorithm
ORA-609 : opiodr aborting process

At first glance, the problem appears network-related, but in many cases the actual cause is a mismatch between Oracle homes.

Why the Error Happens

In environments where Grid Infrastructure and the database software are installed in separate Oracle homes, the listener often runs from the Grid Home while the database instance runs from a different Database Home. 
 
The listener reads its own sqlnet.ora configuration. If the Grid Home contains newer encryption or integrity settings that are unsupported by the older database binaries, the authentication handshake between the listener and the instance fails. 
 
That mismatch can trigger errors such as:
  • ORA-12537: TNS:connection closed
  • TNS-12649: Unknown encryption or data integrity algorithm
This situation is commonly seen after Grid Infrastructure upgrades where the database version itself was not upgraded.

Example Listener Configuration

A typical static listener entry may look like this: 

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (GLOBAL_DBNAME = ORCL)
      (ORACLE_HOME = /u01/app/oracle/product/19.0.0.0/dbhome)
      (SID_NAME = ORCL)
    )
  )

In this example, the database software resides under:

/u01/app/oracle/product/19.0.0.0/dbhome

Even though the database uses this Oracle Home, the listener may still be loading network settings from the Grid Infrastructure home.

Fixing the Problem

The solution is to explicitly instruct the listener to use the database home network configuration files instead of the Grid Home configuration. 
 
This can be done by adding the TNS_ADMIN environment variable to the listener entry.

Updated configuration:

SID_LIST_LISTENER =
 (SID_LIST =
   (SID_DESC =
     (GLOBAL_DBNAME = ORCL)
     (ORACLE_HOME = /u01/app/oracle/product/19.0.0.0/dbhome)
     (SID_NAME = ORCL)
     (ENVS="TNS_ADMIN=/u01/app/oracle/product/19.0.0.0/dbhome/network/admin/,ORACLE_BASE=/u01/app/oracle")
   )
 )

After saving the changes, reload the listener:

lsnrctl reload

What Changes After Setting TNS_ADMIN

Once TNS_ADMIN is defined, the listener begins reading the sqlnet.ora file from the database home rather than the Grid Infrastructure home. This keeps the listener and the database instance aligned on supported encryption and integrity algorithms. 
 
As a result, the connection handshake completes normally and the errors disappear.

Situations Where This Is Common

This issue tends to appear more frequently in environments that have:
  • Separate Grid and Database Oracle Homes
  • Older database releases with newer Grid Infrastructure versions
  • Static listener registrations
  • Oracle Net encryption enabled
  • Different sqlnet.ora settings between homes

Whenever ORA-12537 and TNS-12649 appear together, checking which sqlnet.ora file the listener is actually using is usually one of the first troubleshooting steps worth performing.

 

Comments

Post a Comment