A fix is available
APAR status
Closed as unreproducible in next release.
Error description
When acting as the responder, using IKEv1, there's a time delay between sending Phase 2 Message 4 and the tunnel actually being installed. During this delay, there's a chance that the initiator can start sending encrypted data before the tunnel is successfully installed, causing the packet to then be dropped as a decapsulation failure. Additional Symptoms: Decapsulation failure in TRMD logs before tunnel is added... *** Dec 16 13:36:49 TSTB/TRMD TRMD1 TRMD.TCPIPRO4[33556017]: EZD0811I Decapsulation failed: 12/16/2011 11:36:44.93 sipaddr= 10.1.2.217 dipaddr= 10.1.2.100 proto= esp(50) vpnaction= N/A tunnelID= N/A AHSPI= N/A ESPSPI= 4248800891 rsn= 9 ICSF Return Code= 0 ICSF Reason Code= 0 ikeport= N/A *** Dec 16 13:36:49 TSTB/TRMD TRMD1 TRMD.TCPIPRO4[33556017]: EZD0818I Tunnel added: 12/16/2011 11:36:44.95 vpnaction= PFS2~16 tunnelID= Y29 AHSPI= 0 ESPSPI= 4248800891 Keywords: IKED, IPSEC, IKEv1
Local fix
Retransmit encrypted packet
Problem summary
**************************************************************** * USERS AFFECTED: All users of the IBM Communications Server * * for z/OS Version 1 Releases 12 and 13 IP: * * IPSecurity * **************************************************************** * PROBLEM DESCRIPTION: Decapsulation errors occur because the * * packet arrives before the IPSec tunnel * * is fully established. * **************************************************************** * RECOMMENDATION: * **************************************************************** The problem is summarized as follows: 1. An IKEv1 tunnel negotiation is occurring. 2. When the responder receives quickmode message 3, it sends quickmode message 4 back to the initiator. 3. The initiator quickly sends a packet on the new tunnel. 4. EZD0811I "Decapsulation failed" is seen for the packet because the tunnel is not yet installed at the stack by the responder. 5. The responder installs the tunnel, however it is too late for the packet that has already failed. +-------------------------------------------------------------+ + Please check our Communications Server for OS/390 homepages + + for common networking tips and fixes. The URL for these + + homepages can be found in Informational APAR II11334. + +-------------------------------------------------------------+
Problem conclusion
Temporary fix
Comments
EZAIKPII is updated to ensure that the tunnel is installed before the quickmode message 4 is sent. EZAIKFIN is included for maintenance purposes only.
APAR Information
APAR number
PM58578
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
1C0
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-02-20
Closed date
2012-02-27
Last modified date
2012-04-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK76580 UK76581
Modules/Macros
EZAIKFIN EZAIKPII
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1C0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1C0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 April 2012