A fix is available
APAR status
Closed as program error.
Error description
Storage growth in TCPIP private in subpool 249 key6. The storage growth occurs when UDP EE traffic on demand VPN creation fails. Verification steps: orphaned storage looks similar to this: 89C7ECB5 ADF1E062 00000270 06F91117 | iG...1\......9.. 00000000 7E5A7390 00030000 CB89C7EC | ....=!.......iG. BB0D8C29 04C8F0C1 00000000 00000000 | .....H0A........ 00000000 04C8F041 00000000 00000000 | .....H0......... 00000000 11800000 2EE02EE0 00000000 | .........\.\.... 00442429 04C8F0C1 FFFFFFFF 04C8F041 | .....H0A.....H0. FFFFFFFF 2EE00011 2EE00001 00E80000 | .....\...\...Y.. 00000000 00007AC9 D7E28583 6DC4A895 | ......:IPSec_Dyn 6DC5E2D7 6DE2C8C1 6DC1C5E2 6DD7C6E2 | _ESP_SHA_AES_PFS 7DC8D3EF. LENGTH(X'20')--All bytes contain X'00' 00000000 00000000 02000000 7DC8D420 | ............'HM. | 7DC8D41F. LENGTH(X'20')--All bytes contain X'00' C0000000 2EE42EE4 00000000 D4E3F0F0 | {....U.U....MT00 | 60D4E9F0 F0A1F700 00000000 00000000 | -MZ00~7......... | 7DC8D44F. LENGTH(X'10')--All bytes contain X'00' 00000000 F1000000 00000000 00000000 | ....1........... | offset 4 is the address of the storage requestor module, which will be EZAFPCKT. Offset x'1c' - 20' is the timestamp that the storage was obtained. SYSOMVS exception ctrace shows IOCTL issued from the IKED address with the following failures: FCN...w_ioctl SYSCALL...BPX1IOC PID...0306001E MT81 SYSCALL 0F080002 10:04:44.267317 STANDARD SYSCALL EXIT TRACE ASID..0257 USERID....Q100409 STACK@....31937118 TCB...008CFD90 EUID......00000000 PID.......0306001E +0000 0000001D 00000000 D1C3E2E2 80000000 +0010 04040002 00000000 FFFFFFFF 00000079 +0020 778F00A9 | ...z einval errno x'79 and ReasonCode: 778F00A9 Module: EZBISEVT ErrnoJr: 169 JRINVALIDPARMS Description: An incorrect combination of parameters was specified Also the following messages may be logged in syslogd related to Dynamic on-demand VPN creation failures: EZD0917I Could not find applicable KeyExchangeRule - LocalIp : EZD1794I Local activation of a dynamic tunnel failed for UDP(17) EZD0984I IKE function 0875 isakmp_anchor::ureq_ond_ioctl_handler Additional Symptom(s) Search Keyword(s): TCPIP Private subpool 249 key6, IKED high CPU using EE VPNs, EE SA refresh intervals are occurring too often
Local fix
recycle TCPIP
Problem summary
**************************************************************** * USERS AFFECTED: All users of the IBM Communications Server * * for z/OS Version 1 Release(s) 12 and 13 IP: * * Enterprise Extender and IP Security * **************************************************************** * PROBLEM DESCRIPTION: Various symptoms after application of: * * OA40347/UA66722 - R1D0 * * OA41280/UA67884 - R1C0 * * * * Incorrect IP routes were taken for * * some EE datagrams over port 12000. * * This may lead to unexpected connection * * disconnects or the inability to * * establish a connection. * * * * Storage growth in TCPIP private in * * subpool 249 key6. The storage growth * * occurs when a failure occurs trying to * * establish a dynamic on-demand VPN * * for EE traffic enabled for IPSEC. * **************************************************************** * RECOMMENDATION: * **************************************************************** Enterprise Extender (EE) storge leak of TCP/IP private subpool 249 key 6. Occurs for IPSec on demand VPN failure for EE UDP traffic. The storage leak occurs when EE control signals are simultaneously being transmitted to multiple remote EE endpoints and a failure is detected on the creation of IPSec on demand VP VPN tunnel. The failure of this tunnel is due to TCP/IP not expecting EE control signals destined to multiple destinations on a single invocation and therefore not obtaining appropriate routing information. +-------------------------------------------------------------+ + Please check our Communications Server for OS/390 homepages + + for common networking tips and fixes. The URL for these + + homepages can be found in Informational APAR II11334. + +-------------------------------------------------------------+
Problem conclusion
EZBUDBYP has been amended to appropriately handle chained IUTILs that are not all associated with the same route. Additionally EZBISEVT was modified to free the event element for VPN tunnel creation failure with a reason TUNNEL_OND_FAIL. * Cross Reference between External and Internal Names
Temporary fix
Comments
APAR Information
APAR number
PM91713
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
1C0
Status
CLOSED PER
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt
Submitted date
2013-06-24
Closed date
2013-08-06
Last modified date
2013-10-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PM94671 UK96483 UK96484
Modules/Macros
EZBISEVT EZBUDBYP
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1C0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1C0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 October 2013