A fix is available
APAR status
Closed as unreproducible.
Error description
SWSA Takeover SA not recovered due to a timing problem sychronizing the XCF messages to add/delete dynamic filters. LPAR-A detected that a DVIPA had been added to LPAR-B and had begun processing to delete the tunnels it had negotiated for the DVIPA. A Del_Target_Tunnels table (DTT_Table) had been built and an async routine had been scheduled to process it and delete the tunnels. However, before the async processing got control to delete the tunnels, a SWASREQTUN from LPAR-A was processed by LPAR-B. The SWSAREQTUN requested that LPAR-B send shadow tunnels to LPAR-A. LPAR-B went through its tunnel table and built a SWSATUN message for each tunnel, including the ones that were scheduled to be deleted. Additional Symptom(s) Search Keyword(s): SWSA EZD0953I DVIPA
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of the IBM Communications Server * * for z/OS Version 1 Release 13 IP: * * Sysplex-Wide Security Associations * **************************************************************** * PROBLEM DESCRIPTION: IPSEC dynamic filter install fails due * * to a conflict with an existing shadow * * filter. * **************************************************************** * RECOMMENDATION: * **************************************************************** When a TCP/IP stack is joining a sysplex, if it is taking over a dynamic VIPA that has IPSec tunnels associated with it, there is a timing window where the previous owner of the DVIPA will send a shadow tunnel to the new DVIPA owner. As part of the takeover of the DVIPA, the new owner notifies the IKE daemon to negotiate new tunnels for traffic to the DVIPA. When IKED attempts to install the new tunnel and dynamic filters, message EZD0953I FILTER INSTALLATION FAILED DUE TO CONFLICT WITH EXISTING FILTER is issued and a new tunnel cannot be successfully established. +-------------------------------------------------------------+ + Please check our Communications Server for OS/390 homepages + + for common networking tips and fixes. The URL for these + + homepages can be found in Informational APAR II11334. + +-------------------------------------------------------------+
Problem conclusion
Temporary fix
Comments
A check is added to ensure that a tunnel that is scheduled to be deleted is not distributed to a TCP/IP stack that is joining the sysplex. This APAR is a logical route of defect D154812
APAR Information
APAR number
PI44238
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
1D0
Status
CLOSED UR3
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-07-02
Closed date
2015-07-06
Last modified date
2015-10-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI29152
Modules/Macros
EZBXFSWS EZBXFUT2
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
R1D0 PSY UI29152
UP15/09/16 P F509
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1D0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1D0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 October 2015