Introduction
Presented here is a reliable, symmetric Oracle Data Guard network. By reliable is meant that zero data loss and continuous availability is guaranteed in case of loss of one far sync. Symmetric means that there is is no preferred primary site.
Background
I used to drive a Navy Nuclear Submarine. On a weekly basis, we switched over our running machinery. For example, we switched over our turbine generator lubricating oil pumps. The engineroom upper level watch would the start the standby pump, verify proper response, and then and place the originally running pump in standby. We shifted our pumps for multiple reasons. Switching pumps equalized wear. It also verified readiness and operability. Finally, by operating the controls on a regular basis, the crew maintained a higher level of proficiency.
Notice a few things about this arrangement. No pump is a “preferred” primary. The pump functioning in the standby role is in no way inferior in design, specifications, or readiness. Because the machinery is rotated on a weekly basis, there is no question that the standby is ready to take over the primary role immediately when necessary.
So it is with databases. You need to have a disaster recovery strategy. The DR site needs to be in a known state of readiness at all times. The best way of accomplishing that is to rotate DR sites on a weekly or quarterly basis. No site is a “preferred” primary. By regularly exercising the system, there is no question that a standby is in a state of readiness. Finally, database administrators maintain proficiency by regularly switching over the Data Guard systems.
A reliable, symmetric Data Guard arrangement is convenient to set up in the cloud. You have complete flexibility over which region and availability zone for placing your databases and far syncs.
Environment
The environment is Amazon AWS EC2 (Elastic Computing Cloud) with Red Hat Linux 7.2. Here is an overview of the environment.
| db unique name | region | availability zone | type | net I/O sync | latency from | latency μs |
| NY | us-east-1 | us-east-1c | database | SYNC | SF | 32000 |
| NY_FSA | us-east-1 | us-east-1d | far sync | ASYNC | NY | 250 |
| NY_FSB | us-east-1 | us-east-1a | far sync | ASYNC | NY | 500 |
| SF | us-west-1 | us-west-1b | database | SYNC | NY | 31500 |
| SF_FSA | us-west-1 | us-west-1b | far sync | ASYNC | SF | 115 |
| SF_FSB | us-west-1 | us-west-1c | far sync | ASYNC | SF | 600 |
Notice that NY, NY_FSA, and NY_FSB are in the same region but in separate availability zones. Also, SF, SF_FSA, and SF_FSB are in the same region but SF_FSB is in an availability zone separate from SF and SF_FSA. SF and SF_FSA are in the same availability zone. The highest latency is across regions. The lowest latency is within one availability zone. Medium latency is in the same region but across availability zones.
Here is a network diagram.
In Maximum Availability mode, the primary ships redo to one far sync, leaving the second far sync as an alternate. In fase of a failure on the far sync, the alternate comes on line, resyncs with the primary, and takes over the role of far sync. The primary always ships redo to a far sync in the same region. For example, NY ships to NY_FSA or NY_FSB. Because of this arrangement, there is a total of four far syncs, two per region. Although four far sync hosts are required, the hosts could be configured with less CPU, memory, and disk space than the primary database. In a cloud, CPU, memory, and disk can be reconfigured quickly. Note that in the present symmmetric arrangement, far sync direction is one-way, from the local database to the database in the remote region.
Setup
You can assume an initial, enabled Maximum Availability configuration with only a primary and standby database, and no far syncs.
Create and enable the far syncs
Create far syncs as explained in Data Guard 19c in AWS with far sync. Add the far syncs and enable them.
DGMGRL> add far_sync "NY_FSA" as connect identifier is 'NY_FSA'; far sync instance "NY_FSA" added DGMGRL> enable far_sync "NY_FSA"; Enabled. DGMGRL> add far_sync 'NY_FSB' as connect identifier is 'NY_FSB'; far sync instance "NY_FSB" added DGMGRL> enable far_sync 'NY_FSB' Enabled. DGMGRL> add far_sync 'SF_FSA' as connect identifier is 'SF_FSA'; far sync instance "SF_FSA" added DGMGRL> enable far_sync 'SF_FSA'; Enabled. DGMGRL> add far_sync 'SF_FSB' as connect identifier is 'SF_FSB'; far sync instance "SF_FSB" added DGMGRL> enable far_sync 'SF_FSB' Enabled.
The configuration so far looks like this:
DGMGRL> show configuration
Configuration - ORCL_CONFIG
Protection Mode: MaxAvailability
Members:
NY - Primary database
SF - Physical standby database
Members Not Receiving Redo:
NY_FSA - Far sync instance
SF_FSA - Far sync instance
SF_FSB - Far sync instance
NY_FSB - Far sync instance
Fast-Start Failover: Disabled
Configuration Status:
SUCCESS (status updated 57 seconds ago)
Edit the far sync routes
DGMGRL> edit far_sync NY_FSA set property RedoRoutes = '(NY : SF ASYNC)'; Property "redoroutes" updated DGMGRL> edit far_sync NY_FSB set property RedoRoutes = '(NY : SF ASYNC)'; Property "redoroutes" updated DGMGRL> edit far_sync SF_FSA set property RedoRoutes = '(SF : NY ASYNC)'; Property "redoroutes" updated DGMGRL> edit far_sync SF_FSB set property RedoRoutes = '(SF : NY ASYNC)'; Property "redoroutes" updated
Edit the database routes
DGMGRL> edit database NY set property RedoRoutes = '(LOCAL : (NY_FSA SYNC, NY_FSB SYNC))'; Property "redoroutes" updated DGMGRL> edit database SF set property RedoRoutes = '(LOCAL : (SF_FSA SYNC, SF_FSB SYNC))'; Property "redoroutes" updated
DGMGRL> show configuration
Configuration - ORCL_CONFIG
Protection Mode: MaxAvailability
Members:
NY - Primary database
NY_FSA - Far sync instance
SF - Physical standby database
Members Not Receiving Redo:
SF_FSA - Far sync instance
SF_FSB - Far sync instance
NY_FSB - Far sync instance (alternate of NY_FSA)
Fast-Start Failover: Disabled
Configuration Status:
SUCCESS (status updated 40 seconds ago)
Test far sync failover
In case of a failure of the far sync, Data Guard should quickly switch over to the alternate far sync. In this example, if there is a disrpution of NY_FSA, Data Guard should fail over to NY_FSB. We want to observe the system response to a simulated failure at NY_FSA. There are two failure scenarios.
end-of-file on communication channel
In a TCP client, such as the primary database connection to the far sync, ORA-03113: end-of-file on communication channel will appear when the far sync is disrupted but the far sync host is still on the network. Possible causes could include far sync instance crash, restart, or host reboot. As long as the host is on the network at the link level, it is possible for the primary host operating system to quickly identify the error and return a failure to the primary database. In such cases, an error such as this one appears immediately in the alert log.
2019-09-10T13:44:33.987037-04:00 ORA-03113: end-of-file on communication channel
In such a case, recovery will be very quick. The primary will immediately connect to the alternate far sync. Synchronization can be complete in less than 10 seconds.
timeout error
A timeout will occur if there is a power loss or network disruption. A network disruption could occur as a result of a network configuration change. I can demonstrate a timeout by cutting off the TCP connectivity at the cloud level. To do that, I switch the NY_FSA host to a security group that does not allow traffic on the Oracle port (1521).
In this case, Oracle error detection and recovery is slow. In 30 seconds, the NetTimeout default, the primary connection to NY_FSA (LAD:2 (log archive destination) times out:
2019-09-10T18:22:28.214255-04:00 LGWR (PID:4969): ORA-16198: Received timed out error from KSR LGWR (PID:4969): Attempting LAD:2 network reconnect (16198) LGWR (PID:4969): LAD:2 network reconnect abandoned 2019-09-10T18:22:28.214836-04:00 Errors in file /u01/app/oracle/diag/rdbms/ny/ORCL/trace/ORCL_lgwr_4969.trc: ORA-16198: Timeout incurred on internal channel during remote archival LGWR (PID:4969): Error 16198 for LNO:1 to 'NY_FSA' 2019-09-10T18:22:28.223786-04:00 LGWR (PID:4969): LAD:2 is UNSYNCHRONIZED LGWR (PID:4969): Failed to archive LNO:1 T-1.S-333, error=16198
After another 30 seconds, the primary gives up on NY_FSA and switches to NY_FSB (LAD:3).
2019-09-10T18:22:58.232029-04:00 LGWR (PID:4969): ORA-16198: Received timed out error from KSR LGWR (PID:4969): Error 16198 disconnecting from LAD:2 standby host 'NY_FSA' 2019-09-10T18:22:58.232531-04:00 LGWR (PID:4969): LAD:3 is UNSYNCHRONIZED 2019-09-10T18:22:58.232638-04:00 LGWR (PID:4969): LAD:2 no longer supports SYNCHRONIZATION LGWR (PID:4969): SRL selected to archive T-1.S-334 LGWR (PID:4969): SRL selected for T-1.S-334 for LAD:3 2019-09-10T18:22:58.449325-04:00 Thread 1 advanced to log sequence 334 (LGWR switch) Current log# 2 seq# 334 mem# 0: +RECO01/NY/ONLINELOG/group_2.484.1018151803 Current log# 2 seq# 334 mem# 1: +DATA01/NY/ONLINELOG/group_2.270.1018151815 2019-09-10T18:22:58.519853-04:00 ARC0 (PID:5073): Archived Log entry 675 added for T-1.S-333 ID 0x5c2b52e5 LAD:1 2019-09-10T18:22:58.707980-04:00 ARC1 (PID:5079): SRL selected for T-1.S-333 for LAD:3
Synchronization begins, but four to five minutes elapse until the primary is resynced to the new far sync, NY_FSB.
2019-09-10T18:27:01.888256-04:00 LGWR (PID:4969): LAD:3 is SYNCHRONIZED
While NY_FSB is synchronizing, there are two things to notice. The primary status is:
NY - Primary database
Warning: ORA-16629: database reports a different protection level from the protection mode
and the protection level:
SQL> select protection_level from v$database; PROTECTION_LEVEL -------------------- RESYNCHRONIZATION
The final state is:
DGMGRL> show configuration
Configuration - ORCL_CONFIG
Protection Mode: MaxAvailability
Members:
NY - Primary database
NY_FSB - Far sync instance (alternate of NY_FSA)
SF - Physical standby database
Members Not Receiving Redo:
NY_FSA - Far sync instance
Warning: ORA-16857: member disconnected from redo source for longer than specified threshold
SF_FSA - Far sync instance
SF_FSB - Far sync instance
Fast-Start Failover: Disabled
Configuration Status:
WARNING (status updated 59 seconds ago)
Adjusting NetTimeout
On a low latency and usually reliable network, you should reduce the timeout. Example:
DGMGRL> edit database NY set property NetTimeout = 5; Property "nettimeout" updated
This makes for a cleaner far sync switchover.
Maximum Protection
You might think that you could implement protection mode Maximum Protection with multiple far syncs:
DGMGRL> edit configuration set protection mode as MaxProtection;
Oracle will not let you do that.
Error: ORA-16627: operation disallowed since no member would remain to support protection mode
If you want to implement Maximum Protection, you will need to implement a direct route to one or more physical standby databases.
Conclusion
Several points were covered in this article.
- Data Guard latency can be reduced by implementing far sync.
- Data Guard can be made more reliable by placing multiple far syncs near the primary.
- Benefits to setting up a symmetric arrangement include:
- Standby readniness has been recently verified.
- The standby capability is known to be identical to the primary.
- Heightened DBA staff proficiency.
- Setup implementation steps were covered.
- Data Guard does not keep alternate far syncs in sync with the primary.
- Data Guard is quick to recover from some error conditions.
- Data Guard detection and recovery from network timeout can be slow.
- Maximum Protection though a far sync is not supported.