A fix is available
APAR status
Closed as program error.
Error description
. A Sysplex Distributor system is the end point for an IPSec tunnel (VPN) for connections using a Distributed DVIPA (the DVIPSEC keyword on the IPSEC statement). This system also has VIPAROUTE statements for target systems, and those targets have ADJUSTDVIPAMSS enabled (AUTO or ALL) on their GLOBALCONFIG statement (AUTO is the default for z/OS 2.2). Under certain conditions, the MSS negotiated (returned in the SYN-ACK packet) for associated connections will not be reduced enough to account for both the VIPAROUTE GRE wrapper and the IPSec overhead. This can cause fragmentation of larger packets between the distributor and the target systems. Other symptoms: If the client system has (the equivalent of) PATHMTUDISCOVERY enabled but the intervening network (firewalls) block the ICMP Fragmentation Required messages, this can cause session timeouts.
Local fix
. - Ensure that the network allows ICMP Fragmentation Required (type 3, code 4) packets to flow between the distributing system and any clients. This should be done any time PATHMTUDISCOVERY is being used on systems (not just for this problem). OR - Have the client systems disable PATHMTUDISCOVERY.
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of the IBM Communications Server for z/OS Version * * 2 Releases 1 and 2 IP * **************************************************************** * PROBLEM DESCRIPTION: * * The maximum segment size in the TCP MSS option in the * * SYN-ACK may be incorrect leading to fragmentation. * **************************************************************** * RECOMMENDATION: * * Apply the PTF * **************************************************************** The MSS sent in the SYN-ACK may be calculated incorrectly if IPSec is enabled and/or AdjustDVIPAMSS is configured on the GlobalConfig statement in the TCP/IP profile.
Problem conclusion
Correctly calculate the maximum segment size.
Temporary fix
Comments
APAR Information
APAR number
PI65193
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
210
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-06-30
Closed date
2016-08-01
Last modified date
2016-10-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI39789 UI39790
Modules/Macros
EZBT6SND EZBIPINB EZBIFINB EZB6PSPI EZBTCSND EZBTCPCN
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 October 2016