Troubleshooting
Problem
Occasionally during startup of TCPIP (such as after an IPL), there is an EZZ8052I message issued by OMPROUTE stating that a SEND request has been blocked.
Symptom
EZZ8052I OMPROUTE SEND TO 224.0.0.5 BLOCKED BY TCPIP
Cause
IPSECURITY has been configured on the IPCONFIG (or IPCONFIG6) statement in the TCPIP PROFILE. By default, all IP traffic is blocked until the Policy Agent process has installed the defined rules in the TCPIP stack. If OMPROUTE sends an OSPF HELLO packet before the rules are installed, it will get an error indication that is reflected by this message.
Resolving The Problem
Add an IPSEC section to the TCPIP PROFILE, specifying the default filter rules for the stack to use prior to Policy Agent initialization. The following sample shows the minimum needed to allow OMPROUTE to function:
IPSEC
; Rule Src Dst Logging Protocol
; OSPF protocol used by Omproute
IPSECRule * * NOLOG PROTO OSPF
; IGMP protocol used by Omproute
IPSECRule * * NOLOG PROTO 2
; RIP protocol used by Omproute (if enabled)
IPSECRule * * NOLOG PROTO UDP SRCPORT 520 DESTPORT *
IPSECRule * * NOLOG PROTO UDP SRCPORT * DESTPORT 520
; IPv6 OSPF protocol used by Omproute (if enabled)
IPSEC6Rule * * NOLOG PROTO OSPF
; IGMP protocol used by Omproute (if updated)
IPSEC6Rule * * NOLOG PROTO 2
; IPv6 RIP protocol used by Omproute (if enabled)
IPSEC6Rule * * NOLOG PROTO UDP SRCPORT 521 DESTPORT *
IPSEC6Rule * * NOLOG PROTO UDP SRCPORT * DESTPORT 521
ENDIPSEC
You will want to consider adding other rules for minimal access as well (such as allowing connections to TN3270 or z/OSMF from computer room workstations).
Was this topic helpful?
Document Information
Modified date:
23 June 2018
UID
swg21412615