Client Connections using Oracle RAC and SCAN - How it works demo with tcpdump

I posted this in the networking forum for someone having issues connecting a client to a RAC database. They have firewalls in place. I thought it could be helpful to post this for others who are curious how the "SCAN thing" works when a client attempts a connection, and what needs to be opened up from a firewall perspective. The issue in networking is still open (and they might not even be using SCAN at all), but hopefully with some of the explanation they can at least find where the problem is.

People get confused that with firewalls, if a client successfully "tnspings" a tnsentry (and SCAN is involved) means they can connect to the database (i.e. all firewall rules are in place and correct). This is not true. When you use SCAN and run "tnsping", only SCAN itself is checked, not the final destination (the node VIP/port). A successful tnsping means that you can get to the SCAN listener VIPs (and you have to check them all as they are used round-robin). That's it. That being said, you could have a successful tnsping yet still have missing firewall rules preventing you