{"id":111274,"date":"2026-07-01T12:00:00","date_gmt":"2026-07-01T12:00:00","guid":{"rendered":"https:\/\/www.red-gate.com\/simple-talk\/?p=111274"},"modified":"2026-06-25T11:15:59","modified_gmt":"2026-06-25T11:15:59","slug":"in-cloud-migrations-networking-fundamentals-matter-more-than-you-think-heres-why","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/cloud\/in-cloud-migrations-networking-fundamentals-matter-more-than-you-think-heres-why\/","title":{"rendered":"DMS migration failing? How to debug Oracle to Cloud SQL network errors, layer-by-layer (OSI model guide)"},"content":{"rendered":"\n<p><strong>For database engineers stepping into cloud migrations for the first time, networking is the silent troublemaker. Most tutorials skip straight to configuring connection profiles, but if the network underneath isn&#8217;t right, DMS will fail in ways that feel cryptic and random. <\/strong><\/p>\n\n\n\n<p><strong>This guide uses the OSI model as a practical debugging framework \u2014 not as abstract theory \u2014 to help you pinpoint exactly where an Oracle to Cloud SQL PostgreSQL migration is breaking down, layer by layer. <\/strong><\/p>\n\n\n\n<p><strong>From VPC routing gaps at Layer 3 to SSL certificate mismatches at Layer 6, you&#8217;ll learn how to read DMS error messages like a map, and how a 15-minute pre-flight connectivity check can save you an entire day of confusion.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-before-we-begin-a-quick-introduction\">Before we begin &#8211; a quick introduction<\/h2>\n\n\n\n<p><strong>I want to start with a confession: a few years back, I went deep on networking. I mean <em>really<\/em> deep &#8211; <a href=\"https:\/\/www.cloudflare.com\/learning\/ddos\/glossary\/tcp-ip\/\" target=\"_blank\" rel=\"noreferrer noopener\">TCP\/IP<\/a> internals, packet capture with <a href=\"https:\/\/www.wireshark.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Wireshark<\/a>, <a href=\"https:\/\/www.cloudflare.com\/learning\/ddos\/glossary\/open-systems-interconnection-model-osi\/\" target=\"_blank\" rel=\"noreferrer noopener\">OSI layers<\/a> until I could recite them in my sleep. <\/strong><\/p>\n\n\n\n<p>For a while, it felt like a superpower. Network issue blocking a migration? Give me a day or two and I&#8217;d have it pinpointed. I could <em>see<\/em> what was happening beneath the surface in a way that most database engineers around me couldn&#8217;t.<\/p>\n\n\n\n<p>Then life got busy, projects piled up, and I drifted back to focusing on the database layer: schemas, indexes, query plans. That networking muscle I&#8217;d been using so much of, began to fade.<\/p>\n\n\n\n<p>Fast forward to working with <a href=\"https:\/\/cloud.google.com\/database-migration\" target=\"_blank\" rel=\"noreferrer noopener\">Google Database Migration Service (DMS)<\/a> on an <a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/oracle-databases\/why-migrating-from-oracle-is-harder-than-anyone-admits-and-what-you-should-do-instead\/\" target=\"_blank\" rel=\"noreferrer noopener\">Oracle to Cloud SQL PostgreSQL migration<\/a>, and guess what came back to bite me? It was the network &#8211; every single time.<\/p>\n\n\n\n<p>So I&#8217;m writing this series partly to share what I&#8217;ve learned, and partly to rebuild because I think the journey of <em>why<\/em> networking fundamentals matter is just as useful as the technical details themselves. Especially if you&#8217;re a database engineer stepping into cloud migrations for the first time.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-three-point-connectivity-problem\">The three-point connectivity problem<\/h2>\n\n\n\n<p>When you set up DMS for an Oracle to <a href=\"https:\/\/cloud.google.com\/sql\" target=\"_blank\" rel=\"noreferrer noopener\">Cloud SQL<\/a> migration, you&#8217;re not dealing with a simple <a href=\"https:\/\/www.high-availability.com\/articles\/introduction\/two-node-cluster\" target=\"_blank\" rel=\"noreferrer noopener\">two-node<\/a> connection. You have three distinct players:<\/p>\n\n\n<div class=\"block-core-list\">\n<ol class=\"wp-block-list\">\n<li><strong>Your source<\/strong> &#8211; the <a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/oracle-databases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Oracle database<\/a> (often on-premises)<br><br><\/li>\n\n\n\n<li><strong>DMS<\/strong> &#8211; Google&#8217;s migration service, running inside a <a href=\"https:\/\/www.cloudflare.com\/learning\/cloud\/what-is-a-virtual-private-cloud\/\" target=\"_blank\" rel=\"noreferrer noopener\">VPC (virtual private cloud)<\/a><br><br><\/li>\n\n\n\n<li><strong>Your target<\/strong> &#8211; Cloud SQL for PostgreSQL (also inside Google Cloud)<\/li>\n<\/ol>\n<\/div>\n\n\n<p>Each of those relationships &#8211; DMS to Oracle, and DMS to Cloud SQL &#8211; have their own networking requirements, failure modes, and error messages that can send you down the wrong rabbit hole if you don&#8217;t understand what&#8217;s happening at a lower level.<\/p>\n\n\n\n<p>Most tutorials jump straight to &#8220;configure your connection profile&#8221; but, if the network isn&#8217;t right underneath, DMS will fail in ways that feel cryptic and random. The error messages bubble up from deep in the stack and don&#8217;t always tell you where the real problem is.<\/p>\n\n\n\n<p>That&#8217;s where the OSI model comes in &#8211; and it&#8217;s what we&#8217;ll examine next.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-the-osi-model-and-why-should-database-engineers-care\">What is the OSI model (and why should database engineers care)?<\/h2>\n\n\n\n<p>If you studied networking at any point, you&#8217;ve seen this before. It&#8217;s much more than just &#8216;theory for theory&#8217;s sake&#8217;.<\/p>\n\n\n\n<p><strong>The OSI (Open Systems Interconnection) model describes how data travels from one system to another in seven distinct layers:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Layer<\/strong><\/th><th><strong>Name<\/strong><\/th><th><strong>What it does<\/strong><\/th><\/tr><\/thead><tbody><tr><td>7<\/td><td>Application<\/td><td>The protocol your app speaks (e.g. Oracle Net, PostgreSQL wire protocol)<\/td><\/tr><tr><td>6<\/td><td>Presentation<\/td><td>Encoding, encryption (e.g. TLS\/SSL), data format translation<\/td><\/tr><tr><td>5<\/td><td>Session<\/td><td>Managing connections and sessions (e.g. TNS negotiation in Oracle)<\/td><\/tr><tr><td>4<\/td><td>Transport<\/td><td>TCP\/UDP &#8211; reliable delivery, ports, retransmission<\/td><\/tr><tr><td>3<\/td><td>Network<\/td><td>IP addressing, routing between networks<\/td><\/tr><tr><td>2<\/td><td>Data Link<\/td><td>MAC addresses, switches, local network framing<\/td><\/tr><tr><td>1<\/td><td>Physical<\/td><td>Cables, fiber, signals&nbsp;(the actual hardware)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>One important thing to know before we go further: the OSI model is a thinking tool, not a rigid rulebook. Real-world protocols don&#8217;t map to it perfectly. <\/p>\n\n\n\n<p>And <a href=\"https:\/\/www.cloudflare.com\/learning\/ddos\/glossary\/tcp-ip\/\" target=\"_blank\" rel=\"noreferrer noopener\">TCP\/IP<\/a> &#8211; which is what everything actually <em>runs<\/em> on &#8211; doesn&#8217;t cleanly separate into seven layers. Practitioners often collapse layers together, which is why you&#8217;ll hear people talk about &#8220;Layer 3\/4&#8221; in the same breath. What matters is the mental model it gives you for debugging.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-key-insight-layers-are-sequential\">The key insight: layers are sequential<\/h2>\n\n\n\n<p><strong>The single most useful thing to understand about the OSI model for debugging purposes, is this: a failure at a lower layer prevents every layer above it from running.<\/strong><\/p>\n\n\n\n<p>Think about what that means in practice. If Layer 3 (Network) fails &#8211; meaning DMS cannot route a packet to Oracle&#8217;s IP address &#8211; then Layers 4, 5, 6, and 7 never get a chance to do anything. Oracle never sees the connection attempt, the <a href=\"https:\/\/wirexsystems.com\/resource\/protocols\/tns\/\" target=\"_blank\" rel=\"noreferrer noopener\">TNS (Transparent Network Substrate)<\/a> listener never responds, and SSL never negotiates. <\/p>\n\n\n\n<p>The result? <strong>Authentication never happens.<\/strong><\/p>\n\n\n\n<p>This gives you a powerful debugging process. Simply read the error message and ask yourself, <em>how far did the connection actually get before it failed?<\/em> The answer tells you which layer to focus on.<\/p>\n\n\n\n<section id=\"my-first-block-block_662cfb4f85cb18eae538df07ed1098b4\" class=\"my-first-block alignwide\">\n    <div class=\"bg-brand-600 text-base-white py-5xl px-4xl rounded-sm bg-gradient-to-r from-brand-600 to-brand-500 red\">\n        <div class=\"gap-4xl items-start md:items-center flex flex-col md:flex-row justify-between\">\n            <div class=\"flex-1 col-span-10 lg:col-span-7\">\n                <h3 class=\"mt-0 font-display mb-2 text-display-sm\">Enjoying this article? Subscribe to the Simple Talk newsletter<\/h3>\n                <div class=\"child:last-of-type:mb-0\">\n                                            Get selected articles, event information, podcasts and other industry content delivered straight to your inbox.                                    <\/div>\n            <\/div>\n                                            <a href=\"https:\/\/www.red-gate.com\/simple-talk\/subscribe\/\" class=\"btn btn--secondary btn--lg\" aria-label=\"Subscribe now: Enjoying this article? Subscribe to the Simple Talk newsletter\">Subscribe now<\/a>\n                    <\/div>\n    <\/div>\n<\/section>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-to-read-error-messages-through-an-osi-lens\">How to read error messages through an OSI lens<\/h2>\n\n\n\n<p>Let me walk through what a failure at each layer actually looks like in the context of a DMS to Oracle connection. This is the reference I wish I&#8217;d had when I started.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-layer-1-physical-almost-invisible-in-cloud-migrations\">Layer 1 (physical) &#8211; almost invisible in cloud migrations<\/h3>\n\n\n\n<p><strong>Layer 1 failures are about raw physical signal transmission &#8211; bad cables, failed network interfaces, disconnected fiber. In a fully cloud-based migration, Layer 1 is Google&#8217;s problem, not yours. Their infrastructure handles it entirely.<\/strong><\/p>\n\n\n\n<p>The one scenario where Layer 1 could affect you is if your Oracle source is on-premises and connected to Google Cloud via <a href=\"https:\/\/docs.cloud.google.com\/network-connectivity\/docs\/interconnect\/concepts\/dedicated-overview\" target=\"_blank\" rel=\"noreferrer noopener\">Dedicated Interconnect<\/a>. A bad <a href=\"https:\/\/www.geeksforgeeks.org\/electronics-engineering\/transceivers\/\" target=\"_blank\" rel=\"noreferrer noopener\">transceiver<\/a> or damaged fiber on that cross-connect could cause a Layer 1 failure. But that is some\u00a0you&#8217;d be escalating to your physical network team at that point, not debugging it yourself.<\/p>\n\n\n\n<p>If Layer 1 fails, you won&#8217;t see an application error at all. You&#8217;d see it in operating system logs:<\/p>\n\n\n\n<p><code>eth0: Link is down<\/code><\/p>\n\n\n\n<p><code>No carrier detected<\/code><\/p>\n\n\n\n<p><code>NIC reported media disconnected<\/code><\/p>\n\n\n\n<p>These show up in <code>dmesg<\/code> or <code>\/var\/log\/syslog<\/code>, not in DMS or Oracle logs. Most database engineers never look there &#8211;\u00a0 which is exactly why Layer 1 failures feel so mysterious when they <em>do<\/em> occur.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-layer-2-data-link-also-largely-abstracted-in-cloud\">Layer 2 (data link) &#8211; also largely abstracted in cloud<\/h3>\n\n\n\n<p><strong>Layer 2 handles <a href=\"https:\/\/en.wikipedia.org\/wiki\/MAC_address\" target=\"_blank\" rel=\"noreferrer noopener\">MAC addresses<\/a> and frame delivery between devices on the same local network segment. In a Google Cloud VPC environment, this is again abstracted away from you completely.<\/strong><\/p>\n\n\n\n<p>A Layer 2 failure produces almost no useful information at the application level. You get:<\/p>\n\n\n\n<p><code>Connection timed out<\/code><\/p>\n\n\n\n<p>Nothing else. The application sent data out and nothing came back &#8211; but it has no visibility into <em>why<\/em>. This makes Layer 2 failures hard to distinguish from Layer 3 failures at first glance. <\/p>\n\n\n\n<p>The difference shows up when you go lower &#8211; a Layer 2 failure means an ARP request (asking &#8220;who has this IP?&#8221;) goes unanswered, whereas a Layer 3 failure means the packet routes out but can&#8217;t find a path to the destination.<\/p>\n\n\n\n<p><strong>In practice, for cloud migrations: if you see a generic timeout with no other information, suspect Layer 3 before Layer 2.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-layer-3-network-high-relevance-for-dms-migrations\">Layer 3 (network) &#8211; high relevance for DMS migrations<\/h3>\n\n\n\n<p>This is where things get real for cloud migrations. Layer 3 is about IP addressing and routing &#8211; can DMS actually get a packet to the Oracle host&#8217;s IP address?<\/p>\n\n\n\n<p>Common Layer 3 failure scenarios in DMS migrations:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/peering\/what-is-vpc-peering.html\" target=\"_blank\" rel=\"noreferrer noopener\">VPC peering<\/a> not configured between the DMS VPC and the network where Oracle lives<br><br><\/li>\n\n\n\n<li>Missing or incorrect routes in the routing table<br><br><\/li>\n\n\n\n<li>Cloud VPN or Dedicated Interconnect not passing traffic for the Oracle subnet<br><br><\/li>\n\n\n\n<li>Cloud SQL private IP not reachable from the DMS network<\/li>\n<\/ul>\n<\/div>\n\n\n<p>A Layer 3 failure looks like:<\/p>\n\n\n\n<p><code>Connection timed out<\/code><\/p>\n\n\n\n<p><code>No route to host<\/code><\/p>\n\n\n\n<p>The diagnostic move at Layer 3: from a VM inside the DMS VPC, run <code>ping &lt;oracle-host-ip&gt;<\/code> and <code>ip route get &lt;oracle-host-ip&gt;<\/code>. <\/p>\n\n\n\n<p><em><strong>One important caveat: <\/strong>ICMP is often blocked by GCP VPC firewall rules, so a ping failure alone does not confirm a routing problem. Use <code>ip route get<\/code> to verify the routing table independently.&nbsp;<\/em><\/p>\n\n\n\n<p><strong>If neither ping nor a route entry exists for the <a href=\"https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/Tasks\/Overview_of_VCNs_and_Subnets.htm\" target=\"_blank\" rel=\"noreferrer noopener\">Oracle subnet<\/a>, you have a routing problem to solve before DMS will ever work.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-layer-4-transport-high-relevance-for-dms-migrations\">Layer 4 (transport) &#8211; high relevance for DMS migrations<\/h3>\n\n\n\n<p><strong>Layer 4 is TCP &#8211; the three-way handshake that establishes a connection before any data is exchanged. Your client sends SYN, the server responds with SYN-ACK, your client completes with ACK. Only after this handshake completes can anything else happen.<\/strong><\/p>\n\n\n\n<p>Common Layer 4 failure scenarios:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>Firewall rule blocking port 1521 (Oracle listener) between DMS and the source<br><br><\/li>\n\n\n\n<li>Firewall rule blocking port 5432 (PostgreSQL) between DMS and Cloud SQL<br><br><\/li>\n\n\n\n<li>Oracle listener not running, or bound to the wrong IP<br><br><\/li>\n\n\n\n<li>Security group or VPC firewall not allowing inbound connections<\/li>\n<\/ul>\n<\/div>\n\n\n<p>A Layer 4 failure looks like:<\/p>\n\n\n\n<p><code>IO Error: The Network Adapter could not establish the connection<\/code><\/p>\n\n\n\n<p><code>Connection refused<\/code><\/p>\n\n\n\n<p>Notice: no TNS, no SSL mention. The TCP handshake never completed. The diagnostic move at Layer 4: use <code>telnet<\/code> or <code>nc<\/code> from a VM in the DMS VPC to test whether port 1521 on the Oracle host is reachable.<\/p>\n\n\n\n<p># Test Layer 4 connectivity to Oracle listener<\/p>\n\n\n\n<p><code>nc -zv &lt;oracle-host-ip&gt; 1521<\/code><\/p>\n\n\n\n<p># Or with telnet<\/p>\n\n\n\n<p><code>telnet &lt;oracle-host-ip&gt; 1521<\/code><\/p>\n\n\n\n<p><strong>If this fails, you have a firewall or listener issue to resolve before anything else matters.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-layer-5-session-relevant-once-tcp-is-established\">Layer 5 (session) &#8211; relevant once TCP is established<\/h3>\n\n\n\n<p><strong>Layer 5 kicks in after the TCP connection is up. In Oracle&#8217;s world, this is the TNS (Transparent Network Substrate) negotiation &#8211; the Oracle-specific protocol that sits on top of TCP. DMS connects on port 1521, the listener responds, and then the two sides negotiate which Oracle service or <a href=\"https:\/\/www.sentinelone.com\/cybersecurity-101\/cybersecurity\/security-identifier\/\" target=\"_blank\" rel=\"noreferrer noopener\">security identifier (SID)<\/a> to connect to.<\/strong><\/p>\n\n\n\n<p>Common Layer 5 failure scenarios:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>Wrong service name or SID in the DMS connection profile<br><br><\/li>\n\n\n\n<li>Oracle listener running but not aware of the requested service<br><br><\/li>\n\n\n\n<li>Oracle&#8217;s maximum connection limit reached &#8211; listener can&#8217;t hand off a new session<\/li>\n<\/ul>\n<\/div>\n\n\n<p>A Layer 5 failure looks like:<\/p>\n\n\n\n<p><code>ORA-12514: TNS:listener does not currently know of service requested in connect descriptor<\/code><\/p>\n\n\n\n<p><code>ORA-12505: TNS:listener does not currently know of SID given in connect descriptor<\/code><\/p>\n\n\n\n<p><code>ORA-12516: TNS:listener could not find available handler with matching protocol stack<\/code><\/p>\n\n\n\n<p>The key signature: <strong>TNS appears in the error.<\/strong> This tells you that TCP worked fine (Layer 4 succeeded), the listener picked up the connection (Layer 5 started), but the session negotiation failed. The fix is almost always in your Oracle connection string &#8211; check your service name or SID.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-layer-6-presentation-medium-relevance-mostly-ssl-tls\">Layer 6 (presentation) &#8211; medium relevance (mostly SSL\/TLS)<\/h3>\n\n\n\n<p><strong>Layer 6, in theory, covers both encryption and data format translation (<a href=\"https:\/\/lokalise.com\/blog\/what-is-character-encoding-exploring-unicode-utf-8-ascii-and-more\/\" target=\"_blank\" rel=\"noreferrer noopener\">character encoding<\/a>, serialization). In practice, for DMS migrations, you will almost exclusively encounter Layer 6 issues in the form of SSL\/TLS problems. The data format translation aspect is handled transparently by drivers and rarely causes explicit errors.<\/strong><\/p>\n\n\n\n<p>Layer 6 kicks in after TCP is established and after the initial session negotiation. DMS and Oracle (or Cloud SQL) try to negotiate encryption &#8211; they need to agree on a TLS version, a <a href=\"https:\/\/www.keyfactor.com\/blog\/cipher-suites-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">cipher suite<\/a>, and exchange certificates.<\/p>\n\n\n\n<p>Common Layer 6 failure scenarios:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>DMS doesn&#8217;t trust Oracle&#8217;s SSL certificate (or vice versa)<br><br><\/li>\n\n\n\n<li>TLS version mismatch &#8211; one side wants TLS 1.2, the other is configured for an older version<br><br><\/li>\n\n\n\n<li>Certificate expired or pointing to the wrong hostname<br><br><\/li>\n\n\n\n<li>Cipher suite incompatibility<\/li>\n<\/ul>\n<\/div>\n\n\n<p>A Layer 6 failure looks like:<\/p>\n\n\n\n<p><code>ORA-28860: Fatal SSL error<\/code><\/p>\n\n\n\n<p><code>ORA-28865: SSL connection closed gracefully<\/code><\/p>\n\n\n\n<p><code>SSL handshake failed: Received fatal alert: certificate_unknown<\/code><\/p>\n\n\n\n<p><code>javax.net.ssl.SSLHandshakeException: PKIX path building failed<\/code><\/p>\n\n\n\n<p>The key signature: <strong>SSL, TLS, handshake, certificate, or alert appear in the error.<\/strong> This tells you that TCP worked (Layer 4), TNS negotiation worked (Layer 5), but encryption setup fell apart. The fix lives in your certificate configuration, not your firewall rules.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-layer-7-application-wrong-password-wrong-schema-wrong-permissions\">Layer 7 (application) &#8211; wrong password, wrong schema, wrong permissions<\/h3>\n\n\n\n<p>Layer 7 is where Oracle and PostgreSQL actually speak their own protocol. If you&#8217;ve made it to a Layer 7 failure, congratulations &#8211; your network is fine. The database is reachable. Now you have a database problem.<\/p>\n\n\n\n<p>A Layer 7 failure looks like:<\/p>\n\n\n\n<p><code>ORA-01017: invalid username\/password; logon denied<\/code><\/p>\n\n\n\n<p><code>ORA-00942: table or view does not exist<\/code><\/p>\n\n\n\n<p><code>ORA-01031: insufficient privileges<\/code><\/p>\n\n\n\n<p>No network troubleshooting needed here: check your credentials, your schema, and your grants.<\/p>\n\n\n\n<div id=\"callout-block_65addadb21894d7b5c1ec428b43cd4d9\" class=\"callout alignnone\">\n    <div class=\"child-last:mb-0 child-first:mt-0 bg-gray-50 dark:bg-gray-950 p-4xl my-3xl\">\n\n<p><strong>You may also be interested in&#8230;<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/www.red-gate.com\/simple-talk\/collections\/migrating-from-on-prem-to-the-cloud-dba-stories\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to migrate from on-prem to the cloud (complete series)<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.red-gate.com\/simple-talk\/collections\/how-to-overcome-the-cloud-migration-challenges-of-2026-a-grant-fritchey-mini-series\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to overcome the cloud migration challenges of 2026 (complete mini-series)<\/a><\/p>\n\n<\/div>\n<\/div> \n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-complete-reference-osi-layers-in-dms-migrations\">The complete reference: OSI layers in DMS migrations<\/h2>\n\n\n\n<p><strong>The table below is the full picture in one place. Find your error message, match it to the error signature for that layer, and you immediately know where to focus. Each layer also shows what succeeded before the failure &#8211; which is just as useful, because it rules out everything below.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Layer<\/strong><\/th><th><strong>Name<\/strong><\/th><th><strong>Relevance<\/strong><\/th><th><strong>Error signature<\/strong><\/th><th><strong>Diagnostic step<\/strong><\/th><\/tr><\/thead><tbody><tr><td>L1<\/td><td>Physical<\/td><td>Abstracted<\/td><td>eth0: Link is down \/ No carrier detected &#8211; appears in dmesg\/syslog, not DMS or Oracle logs<\/td><td>Cloud-managed. Escalate to network team if on Dedicated Interconnect.<\/td><\/tr><tr><td>L2<\/td><td>Data Link<\/td><td>Abstracted<\/td><td>Connection timed out &#8211; no other context. ARP goes unanswered.<\/td><td>Cloud-managed. If you see a generic timeout, suspect L3 before L2.<\/td><\/tr><tr><td>L3<\/td><td>Network<\/td><td>High<\/td><td>Connection timed out \/ No route to host &#8211; VPC peering, missing routes, VPN not passing traffic<\/td><td>ping &lt;oracle-host-ip&gt; then ip route get &lt;oracle-host-ip&gt; from a VM inside the DMS VPC. Note: ICMP may be blocked in GCP &#8211; ping failure alone doesn&#8217;t confirm a routing problem.<\/td><\/tr><tr><td>L4<\/td><td>Transport<\/td><td>High<\/td><td>IO Error: Network Adapter could not establish the connection \/ Connection refused &#8211; no TNS, no SSL. TCP handshake never completed.<\/td><td>nc -zv &lt;oracle-host-ip&gt; 1521 or telnet &lt;oracle-host-ip&gt; 1521 from the DMS VPC. Failure = firewall rule or listener not running.<\/td><\/tr><tr><td>L5<\/td><td>Session<\/td><td>Medium<\/td><td>ORA-12514 \/ ORA-12505 \/ ORA-12516 &#8211; key signal: TNS in the error. TCP succeeded.<\/td><td>tnsping &lt;service-name&gt; \/ lsnrctl status. Verify service name or SID in your DMS connection profile.<\/td><\/tr><tr><td>L6<\/td><td>Presentation<\/td><td>Medium<\/td><td>ORA-28860: Fatal SSL error \/ SSL handshake failed: certificate_unknown \/ SSLHandshakeException: PKIX path building failed &#8211; key signal: SSL, TLS, handshake, certificate, or alert. TCP + TNS both succeeded.<\/td><td>openssl s_client -connect &lt;host&gt;:1521. Test TLS handshake before DMS does. Fix lives in certificate config, not firewall rules.<\/td><\/tr><tr><td>L7<\/td><td>Application<\/td><td>Database<\/td><td>ORA-01017: invalid username\/password \/ ORA-00942: table or view does not exist \/ ORA-01031: insufficient privileges &#8211; your network is fine.<\/td><td>No network troubleshooting needed. Check credentials, schema, and grants in Oracle and Cloud SQL.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-pattern-to-memorize\">The pattern to memorize<\/h3>\n\n\n\n<p>As you go up the layers, error messages get more specific and more informative:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>A generic &#8220;connection timed out&#8221; means something went wrong early &#8211; Layer 2 or 3. <br><\/li>\n<\/ul>\n<\/div>\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>A TNS error means you got further &#8211; Layer 5. <br><\/li>\n<\/ul>\n<\/div>\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>An ORA-01017 means you got all the way through the network stack, which is actually good news. Now it&#8217;s just a database problem.<\/li>\n<\/ul>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-a-practical-habit-that-will-save-you-hours\">A practical habit that will save you hours<\/h2>\n\n\n\n<p><strong>Before you run a single DMS migration job, validate connectivity at each relevant layer manually. It takes fifteen minutes and can save you an entire day of confusion.<\/strong><\/p>\n\n\n\n<p>Here&#8217;s how to do it:<\/p>\n\n\n\n<p><strong>Step 1 &#8211; Validate Layer 3 (routing):<\/strong> From a VM inside the DMS VPC, ping the Oracle host IP. If ping fails, fix your VPC routing or VPN configuration first.<\/p>\n\n\n\n<p><strong>Step 2 &#8211; Validate Layer 4 (transport):<\/strong> From the same VM, use nc or telnet to test port 1521. If this fails, fix your firewall rules first.<\/p>\n\n\n\n<p><strong>Step 3 &#8211; Validate Layer 5 (session):<\/strong> Use tnsping from the DMS network if available, or check the Oracle listener status with lsnrctl status on the Oracle host. Confirm your service name or SID is correct.<\/p>\n\n\n\n<p><strong>Step 4 &#8211; Validate Layer 6 (SSL):<\/strong> If you&#8217;ve configured SSL on either connection, test the TLS handshake with openssl s_client before DMS does it.<\/p>\n\n\n\n<p>Only after all four pass should you configure your DMS connection profile and hit &#8220;Test Connection.&#8221; At that point, if it still fails, you&#8217;re almost certainly dealing with a Layer 7 issue &#8211; credentials, permissions, or schema.<\/p>\n\n\n\n<p><strong>Have you hit networking issues in a cloud database migration? I&#8217;d love to hear what tripped you up &#8211; drop a comment below or <a href=\"https:\/\/www.linkedin.com\/in\/sachin-pawar-3322429\/\" target=\"_blank\" rel=\"noreferrer noopener\">find me on LinkedIn<\/a>.<\/strong><\/p>\n\n\n\n<section id=\"my-first-block-block_c9f607e0ef3560d4564ba3ad603b984b\" class=\"my-first-block alignwide\">\n    <div class=\"bg-brand-600 text-base-white py-5xl px-4xl rounded-sm bg-gradient-to-r from-brand-600 to-brand-500 red\">\n        <div class=\"gap-4xl items-start md:items-center flex flex-col md:flex-row justify-between\">\n            <div class=\"flex-1 col-span-10 lg:col-span-7\">\n                <h3 class=\"mt-0 font-display mb-2 text-display-sm\">Cloud adoption is accelerating, but database migrations aren\u2019t keeping pace. Find out why.<\/h3>\n                <div class=\"child:last-of-type:mb-0\">\n                                            The Cloud Migration Divide explores why complex, business-critical databases remain on-premises \u2013 and what\u2019s holding organizations back as confidence fails to scale with complexity.                                    <\/div>\n            <\/div>\n                                            <a href=\"https:\/\/www.red-gate.com\/solutions\/state-of-database-landscape\/2026\/cloud-migration-divide\/\" class=\"btn btn--secondary btn--lg\" aria-label=\"Download the free report: Cloud adoption is accelerating, but database migrations aren\u2019t keeping pace. Find out why.\">Download the free report<\/a>\n                    <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"faq\" class=\"faq-block my-5xl\">\n    <h2>FAQs: In cloud migrations, networking fundamentals matter more than you think. Here&#039;s why.<\/h2>\n\n                        <h3 class=\"mt-4xl\">1. Why does Google DMS fail with &quot;connection timed out&quot; and no other information?<\/h3>\n            <div class=\"faq-answer\">\n                <p>A generic timeout with no additional context usually points to a Layer 2 or Layer 3 problem \u2014 meaning DMS can&#8217;t route a packet to your Oracle host at all. Start by checking your VPC peering, routing tables, and VPN configuration before looking anywhere else.<\/p>\n            <\/div>\n                    <h3 class=\"mt-4xl\">2. How do I test network connectivity to my Oracle database before running a DMS job?<\/h3>\n            <div class=\"faq-answer\">\n                <p>From a VM inside the DMS VPC, use <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">ping<\/code> to validate Layer 3 routing, then <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">nc -zv &lt;oracle-host-ip&gt; 1521<\/code> to confirm the TCP connection reaches the Oracle listener. If both pass, use <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">tnsping<\/code> or <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">lsnrctl status<\/code> to verify your service name at Layer 5.<\/p>\n            <\/div>\n                    <h3 class=\"mt-4xl\">3. What does a TNS error in DMS actually mean?<\/h3>\n            <div class=\"faq-answer\">\n                <p>TNS errors like ORA-12514 or ORA-12505 tell you that TCP succeeded and the Oracle listener picked up the connection, but the session negotiation failed. This is a Layer 5 problem \u2014 almost always a wrong service name or SID in your DMS connection profile, not a network issue.<\/p>\n            <\/div>\n                    <h3 class=\"mt-4xl\">4. What causes SSL handshake failures in Google DMS?<\/h3>\n            <div class=\"faq-answer\">\n                <p>SSL failures \u2014 ORA-28860, <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">SSLHandshakeException<\/code>, or <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">certificate_unknown<\/code> \u2014 are Layer 6 issues. They mean TCP and TNS both worked fine, but encryption setup fell apart. The cause is typically an untrusted certificate, a TLS version mismatch, or an expired cert. Use <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">openssl s_client -connect &lt;host&gt;:1521<\/code> to test the handshake before DMS does.<\/p>\n            <\/div>\n                    <h3 class=\"mt-4xl\">5. If DMS returns ORA-01017, is there a network problem?<\/h3>\n            <div class=\"faq-answer\">\n                <p>No \u2014 ORA-01017 (invalid username\/password) is a Layer 7 error, which is actually good news. It means your network stack is working correctly end to end. The problem is credentials, schema access, or permissions in Oracle or Cloud SQL, not the network.<\/p>\n            <\/div>\n            <\/section>\n","protected":false},"excerpt":{"rendered":"<p>Debugging Google DMS failures for Oracle to Cloud SQL migrations? Use the OSI model to pinpoint network errors layer by layer and fix them fast.&hellip;<\/p>\n","protected":false},"author":346850,"featured_media":103110,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[10,143523,53,143533,143534],"tags":[5336,4168,4170,126411,4459,158978,4150],"coauthors":[159405],"class_list":["post-111274","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-databases","category-featured","category-oracle-databases","category-postgresql","tag-cloud","tag-database","tag-database-administration","tag-database-migration","tag-oracle","tag-postgresql","tag-sql"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/111274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/346850"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=111274"}],"version-history":[{"count":11,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/111274\/revisions"}],"predecessor-version":[{"id":111550,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/111274\/revisions\/111550"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media\/103110"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=111274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=111274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=111274"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=111274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}