A fix is available
APAR status
Closed as program error.
Error description
Intrastack traffic is incorrectly being denied by IP filtering rules. The local/loopback traffic should not be subject to any IP filtering rules and should flow in the clear. EZD0815I Packet denied by policy: filter rule=DenyAllRule_Generated___outbnd ext= sipaddr= x.x.x.x dipaddr= y.y.y.y proto = icmp(1) type= 8 code = 0 Interface= 127.0.0.1 (O) secclass= 0 dest= local len=284 vpnaction= N/A tunnelID= N/A ifcname= LOOPBACK fragment= N Specific to this problem, the source ip address and destination ip address are different. Also note, the Interface, dest and ifcname fields. These indicate that this is local/loopback traffic.
Local fix
Create rules to allow the intrastack traffic
Problem summary
**************************************************************** * USERS AFFECTED: All users of the IBM Communications Server * * for z/OS Version 1 Release(s) 10 and 11 IP * * and IP Security. * **************************************************************** * PROBLEM DESCRIPTION: IPSEC filtering may be incorrectly * * called for RAW IP protocol packets * * to local addresses. * **************************************************************** * RECOMMENDATION: * **************************************************************** IPSEC filtering may be called for RAW protocol IP packets if both the source and destination ip addresses are local and not identical. One such case is if SOURECEVIPA is enabled and a local address is PINGed. IPSEC filtering should only be done if the packet is routed out of the IP stack. +-------------------------------------------------------------+ + Please check our Communications Server for OS/390 homepages + + for common networking tips and fixes. The URL for these + + homepages can be found in Informational APAR II11334. + +-------------------------------------------------------------+
Problem conclusion
EZBIPOUT and TORUWP were changed to only call IPSEC filtering if a raw packet may be routed out of the IP stack. * Cross Reference between External and Internal Names
Temporary fix
Comments
×**** PE10/12/07 FIX IN ERROR. SEE APAR PM28400 FOR DESCRIPTION
APAR Information
APAR number
PM02726
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
1A0
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2009-12-03
Closed date
2010-01-24
Last modified date
2010-12-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK53786 UK53787
Modules/Macros
EZBIPOUT EZBRWWRI EZBRWWR1 TORUWP
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1A0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1A0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
29 December 2010