z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1115I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1115I
Policy mismatch : Proposal prop_num requires parameter parameter that is not supported by statement state_num

Explanation

The Internet Key Exchange (IKE) daemon was unable to accept a proposal because there was a mismatch in the configured policy. The IKE daemon continues to the next proposal. If no proposals are accepted, the Security Association negotiation will fail. This will be indicated by an EZD0985I, EZD1021I, or EZD1022I message later in syslog.

In the message text:
prop_num
The number of the proposal that is being compared. The number corresponds to the order of proposals in an offer received.
parameter
The parameter that encountered a mismatch. See the information about the Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about the parameter specified.
statement
Indicates whether the mismatched parameter was configured on the KeyExchangeOffer, IpDataOffer, or IpDynVpnAction statement in the policy configuration file.
When configured with the IBM® Configuration Assistant for z/OS® Communications Server:
  • The KeyExchangeOffer statements are located on the corresponding connectivity rule's Advanced IPSec: Dynamic Tunnels: Key Exchange Settings panel. Use the KeyExchangeRule name from message EZD1021I to identify the connectivity rule. The IpDataOffer statement is located in the corresponding security level. However, if the parameter is HowToEncap, this setting is located on the connectivity rule's Advanced IPSec: Dynamic Tunnels: Key Exchange Settings panel. Use the DynVpnAction name from message EZD1022I to identify the security level. Use the IpFilerRule name from message EZD1022I to identify the connectivity rule.
  • The IpDynVpnAction statement corresponds to the security level in the IBM Configuration Assistant for z/OS Communications Server. Use the DynVpnAction name from message EZD1022I to identify the corresponding security level.
state_num
The number of a statement referenced from the policy. The number corresponds to the order of the references in the policy. Therefore, the first statement referenced from the policy would have number 1 in this message.

System action

If the IKE daemon does not accept any of the proposals, the negotiation fails; the IKE daemon continues.

System programmer response

If the proposal that contains the mismatch is the one that should be accepted, either alter the local policy to accept the value in this proposal or notify the administrator of the remote security endpoint about the mismatch and ask the administrator to alter the remote configuration to propose the correct values. See the information about the Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about configuring policy.

User response

Contact the system programmer.

Module

policy.cpp

Procedure name

None.

Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014