Introduction:
Connections via the listener to an instance that is in RESTRICTED status or in NO MOUNT status may fail with TNS-12526, TNS-12527 or TNS-12528 even when supplying the credentials for a privileged account. The lsnrctl services output will show that the service handler for this instance is in state: BLOCKED or RESTRICTED.
The full error text is:
ORA-12526 (TNS-12526)
TNS:listener: all appropriate instances are in restricted mode
ORA-12528 (TNS-12528)
TNS:listener: all appropriate instances are blocking new connections
ORA-12527 (TNS-12527)
TNS:listener: all instances are in restricted mode or blocking
Example of the error in some cases:
The only significant change would be that the instance has been started up in some kind of “restricted access” mode such as RESTRICTED or NO MOUNT.
Here is an example of starting up the database in restricted mode and the output for lsnrctl status:
1.Start the database with restricted mode
SQL>startup restrict
2.Check the status of the listener
LSNRCTL> status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=<hostname>)(PORT=1521))
STATUS of the LISTENER
————————
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 10.1.0.2.0
Start Date 21-JUL-2003 18:19:03
Uptime 2 days 17 hr. 36 min. 17 sec
Trace Level OFF
Security OFF
SNMP OFF
Listener Parameter File e:\10g\network\admin\listener.ora
Listener Log File e:\10g\network\log\listener.log
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<hostname>)(PORT=1521)))
Services Summary…
Service “<service.domain>” has 1 instance(s).
Instance “<instance>”, status RESTRICTED, has 1 handler(s) for this service…
The command completed successfully
From the above we can see that the listener status for that instance is
“RESTRICTED”
Reason for this error:
When an instance is in restricted mode, PMON or LREG updates the listener with that information and blocks new connections from being established.
The lsnrctl services output will show the handler is blocked for new connections or lsnrctl status may show the instance is in RESTRICTED mode.
How to avoid this error:
The (UR=A) clause for TNS connect strings was created in response to an enhancement request. This clause can be inserted into the “(CONNECT_DATA=” section of a TNS connect string and allow a privileged or administrative user to connect via the listener even when the service handler is blocking connections for non-privileged users.
Here’s an example of a connect string configured with (UR=A):
PROD =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = <hostname>)(PORT = 1521)))
(CONNECT_DATA =
(UR=A) <===Add this parameter
(SERVICE_NAME = <service.domain>)
)
)
Please note that the (UR=A) clause is intended to work with a dynamically registered handler so the use of SERVICE_NAME versus SID is required when using dynamic registration (i.e. handler exists in lsnrctl output but is BLOCKED). The use of SID in a TNS connect string may allow a connection if using a static handler in the listener.ora file under SID_DESC.
Conclusion:
Connections via the listener to an instance that is in RESTRICTED status or in NO MOUNT status may fail with TNS-12526, TNS-12527 or TNS-12528 and UR=A is provided to resolve this issue.
