IBM Support

PM62089: IKEV1 DELETE PAYLOADS NOT BEING SENT DURING IKED TERMINATION

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IKEv1 established Phase2 Security Associations (SAs) delete
    payloads are not being generated and sent to IKE remote
    partners during IKED address space termination. However the
    representations of the Phase2 SAs have been removed from IKED
    when it terminated.  In cases where the anchor IKE
    SA (Phase1) has expired and was deleted and the Phase2 SAs were
    not, the reported scenario will occur.  After IKED is
    restarted the following messages will be seen in the IKE log
    because the remote IKE partner is still using the Phase2
    SA before the IKE daemon was recycled:
    
    EZD0811I Decapsulation failed ........
    

Local fix

  • Issue IPSEC -y deact before stopping IKED
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of the IBM Communications Server   *
    *                 for z/OS Version 1 Release 11, 12, and 13    *
    *                 IP: IPSecurity                               *
    ****************************************************************
    * PROBLEM DESCRIPTION: EZD0811I Decapsulation failed message   *
    *                      after an IKED termination/restart       *
    *                      that left a phase 2 SA on the partner.  *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The problem may be summarized as follows:
    1. A phase 1 SA is established with a small
       RefreshLifetimeProposed value.
    2. The associated phase 2 SA is established
       with a RefreshLifetimeProposed value that
       is larger than the phase 1 value.
    3. The phase 1 SA is refreshed and the original
       instance of the phase 1 SA expires.
    4. IKED is stopped on one side of the tunnel.
    5. The phase 1 SA at the partner is deleted,
       but the phase 2 SA is not.
    6. When IKED is restarted and the phase 2 SA
       is reestablished, EZD0811I Decapsulation failed
       message is seen.
    +-------------------------------------------------------------+
    + Please check our Communications Server for OS/390 homepages +
    + for common networking tips and fixes.  The URL for these    +
    + homepages can be found in Informational APAR II11334.       +
    +-------------------------------------------------------------+
    

Problem conclusion

  • EZDIKRAD is updated to ensure the phase 2 SAs are deleted
    when the phase 1 SA is deleted.
    
    EZAIKFIN is included for maintenance purposes only.
    
    * Cross Reference between External and Internal Names
    EZAIKFIN (FW@INITT)  EZAIKRAD (RADDRBLO)  EZAIKFIN (FW@INITT)
    EZAIKRAD (RADDRBLO)  EZAIKFIN (FW@INITT)  EZAIKRAD (RADDRBLO)
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM62089

  • Reported component name

    TCP/IP V3 MVS

  • Reported component ID

    5655HAL00

  • Reported release

    1C0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-04-09

  • Closed date

    2012-04-13

  • Last modified date

    2012-06-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK77947 UK77948 UK77949

Modules/Macros

  • EZAIKFIN EZAIKRAD
    

Fix information

  • Fixed component name

    TCP/IP V3 MVS

  • Fixed component ID

    5655HAL00

Applicable component levels

  • R1B0 PSY UK77947

       UP12/05/10 P F205

  • R1C0 PSY UK77948

       UP12/05/10 P F205

  • R1D0 PSY UK77949

       UP12/05/10 P F205

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1C0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1C0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
03 June 2012