Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
EZD1025I z/OS Communications Server: IP Messages Volume 2 (EZB, EZD) SC27-3655-01 |
|
EZD1025I Cannot be an initiator of a phase 2 Security Association
negotiation ExplanationThe local IKE daemon is attempting to initiate a phase 2 security association (SA), and the local policy specifies that it can only act as a responder. Additional diagnostic messages that have the same message instance number will be issued to identify the impacted Security Association (SA). The message instance number precedes the message number in the log output and is used to group related messages from the IKE daemon. System actionThe SA negotiation failed; IKE daemon processing continues. Operator responseCheck the server's configuration for phase 2 activation. When configured without the IBM® Configuration Assistant for z/OS® Communications Server, the IKE daemon's phase 2 initiation role is set on the Initiation parameter in the IpDynVpnAction statement for this SA. If the local IKE server should be able to initiate the negotiation for this SA, then change the server's Initiation role in the appropriate IpDynVpnAction statement to LocalOnly or Either. See the information about the Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about configuring policy. When configured with the IBM Configuration Assistant for z/OS Communications Server, edit the corresponding Connectivity Rule in the GUI and check the Advanced IPSec: Dynamic Tunnel: How to Activate panel to see if local activation of phase 2 tunnels is allowed. See the online helps in the GUI for additional information. System programmer responseNone. Modulepolicy.cpp Procedure nameNone. |
Copyright IBM Corporation 1990, 2014
|