IBM Support

PI65193: THE MSS FOR SESSIONS OVER IPSEC TUNNELS AND ADJUSTDVIPAMSS ENABLED MAY BE TOO LARGE

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • .
    A Sysplex Distributor system is the end point for an IPSec
    tunnel (VPN) for connections using a Distributed DVIPA (the
    DVIPSEC keyword on the IPSEC statement).  This system also has
    VIPAROUTE statements for target systems, and those targets have
    ADJUSTDVIPAMSS enabled (AUTO or ALL) on their GLOBALCONFIG
    statement (AUTO is the default for z/OS 2.2).  Under certain
    conditions, the MSS negotiated (returned in the SYN-ACK packet)
    for associated connections will not be reduced enough to account
    for both the VIPAROUTE GRE wrapper and the IPSec overhead.  This
    can cause fragmentation of larger packets between the
    distributor and the target systems.
    
    
    Other symptoms:
    
    If the client system has (the equivalent of) PATHMTUDISCOVERY
    enabled but the intervening network (firewalls) block the ICMP
    Fragmentation Required messages, this can cause session
    timeouts.
    

Local fix

  • .
     - Ensure that the network allows ICMP Fragmentation Required
       (type 3, code 4) packets to flow between the distributing
       system and any clients.  This should be done any time
       PATHMTUDISCOVERY is being used on systems (not just for this
       problem).
    
    OR
    
     - Have the client systems disable PATHMTUDISCOVERY.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All users of the IBM Communications Server for z/OS Version  *
    * 2 Releases 1 and 2 IP                                        *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * The maximum segment size in the TCP MSS option in the        *
    * SYN-ACK may be incorrect leading to fragmentation.           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply the PTF                                                *
    ****************************************************************
    The MSS sent in the SYN-ACK may be calculated incorrectly if
    IPSec is enabled and/or AdjustDVIPAMSS is configured on the
    GlobalConfig statement in the TCP/IP profile.
    

Problem conclusion

  • Correctly calculate the maximum segment size.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI65193

  • Reported component name

    TCP/IP V3 MVS

  • Reported component ID

    5655HAL00

  • Reported release

    210

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-06-30

  • Closed date

    2016-08-01

  • Last modified date

    2016-10-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI39789 UI39790

Modules/Macros

  • EZBT6SND EZBIPINB EZBIFINB EZB6PSPI EZBTCSND EZBTCPCN
    

Fix information

  • Fixed component name

    TCP/IP V3 MVS

  • Fixed component ID

    5655HAL00

Applicable component levels

  • R220 PSY UI39790

       UP16/09/12 P F609

  • R210 PSY UI39789

       UP16/09/12 P F609

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
03 October 2016