A fix is available
APAR status
Closed as program error.
Error description
Problems associated with reauthentication of IKEv2 IKE SAs (Phase1). During IKE SA reauthentication, issues related to NSSD timeouts during signature verification may leave IKE SAs in an un-useable state and half closed. These SAs are not deleted and traffic using them will be affected. Additional Symptom(s) Search Keyword(s): half closed IKED issues abend : IKED TASK - EZD0922I INTERNAL ERROR 14F7 - 4892 | 0 | 0 Half closed IKEv2 IKE (Phase1) SAs IKE debug messages: IKE DEBUGSA : A dynamic tunnel activation is delayed due to negotiation throttling or IKE DEBUGSA : A request to establish a Phase 1 security association is denied due to negotiation throttling or A request to establish a Phase 2 security association is denied due to negotiation throttling
Local fix
Insure that NSSD is getting enough CPU resource with WLM class and insure that NSSD is running non-swappable.
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of the IBM Communications Server for z/OS Version * * 2 Release 1 IPSECURITY function * **************************************************************** * PROBLEM DESCRIPTION: * * Growth in the number of active generations of an IKEv2 IKE * * SA when reauthentication is enabled. * **************************************************************** * RECOMMENDATION: * * Apply PTF * **************************************************************** After an IKEv2 IKE SA is reauthenticated, IKED was unable to delete the original IKE SA if it was the initiator of the original IKE SA. This led to an additional reauthentication by the peer and 2 active generations of the IKEv2 IKE SA. With each reauthentication, the number of active generations of the IKEv2 IKE SA could increase.
Problem conclusion
When reauthentication is initiated, information is saved so that IKED is able to delete the original IKE SA after the reauthentication completes.
Temporary fix
Reauthentication can be disabled.
Comments
APAR Information
APAR number
PI60199
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
210
Status
CLOSED PER
PE
YesPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-04-04
Closed date
2016-05-11
Last modified date
2016-08-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI37763
Modules/Macros
EZAI2ISA
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
R210 PSY UI37763
UP16/06/23 P F606 {
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
19 August 2016