Using Oracle DB 11.2 RAC SCAN setup, what network access must be open for clients?
Is this correct: Acces to TCP ports 1521 on the SCAN listener and the node VIP (or real) addresses?
(assuming 1521 is the configured port on the servers)
Is just access to the SCAN address enough?
Check the configuration of the scan listener by doing $ srvctl config scan_listener <scan_name>
The port if you did not change shouldmbe 1521 the tns that you provide to the client should have the scan address for the host name
You have to open the firewall for both the SCAN and VIP addresses, as the SCAN listener forwards the requests to the local listeners that listens on VIPs.