z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD2021A

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD2021A
QDIO ACCELERATOR IS ENABLED ONLY FOR SYSPLEX DISTRIBUTOR BECAUSE OF POLICY FILTER RULES

Explanation

QDIO Accelerator will accelerate only Sysplex Distributor traffic. Routed traffic cannot be accelerated for one of the following reasons:
  • The current IP security filters in your policy configuration do not explicitly permit all routed traffic.
  • Filter logging is enabled for routed traffic in your policy configuration.

To satisfy your configured IP filters, routed traffic must be processed by the TCP/IP stack, where IP filtering is implemented.

System action

Processing continues with QDIO Accelerator enabled only for sysplex distributor traffic.

Operator response

Contact the system programmer.

System programmer response

No action is required if any of the following conditions are true:
  • Your security policy requires some routed traffic to be denied
  • Your security policy requires some routed traffic to be protected using IPsec
  • Your security policy requires some routed traffic to be subject to filter logging
  • You do not want to use QDIO acceleration for your routed traffic

If your security policy allows all routed traffic to be permitted and does not require any routed traffic to be subject to filter logging, you can change the IP security filters in your policy configuration so that QDIO Accelerator is enabled for routed traffic. To do this, modify your policy configuration:

  1. If you are using the IBM® Configuration Assistant for z/OS® Communications Server to configure your IPSec policy:
    1. Ensure that the first connectivity rule that applies to routed IPv4 traffic specifies a topology of filtering only, applies to all IPv4 addresses, and uses a requirement map that maps all IP protocols and all security classes to a security level of Permit.
      Tip: Your connectivity rule might apply to both local and routed traffic. If your security policy does not allow you to permit all local traffic, split this rule into two rules, one that applies to filtering for routed traffic, and one that applies to filtering for local traffic.
    2. Ensure that this connectivity rule specifies that filter matches are not to be logged.
  2. Otherwise, if you are manually configuring your IPSec policy:
    1. Ensure that the first IpFilterRule statement whose associated IpService statement has a Routing specification of Routed or Either permits all IPv4 addresses, permits all protocols and all security classes, and has a Direction specification of Bidirectional.
      Tip: If your rule has a Routing specification of Either, it applies to both local and routed traffic. If your security policy does not allow you to permit all local traffic, split this IpFilterRule into two filter rules, one with a Routing specification of Routed and one with a Routing specification of Local.
    2. Ensure that this IpFilterRule statement's associated IpGenericFilterAction statement does not specify an IpFilterLogging setting of Yes to enable filter logging.

For more information, see QDIO Accelerator and IP security in z/OS Communications Server: IP Configuration Guide.

User response

Not applicable.

Problem determination

None.

Source

z/OS Communications Server TCP/IP

Module

EZBISSFT, EZBISPSW, EZBIPEPR

Routing code

10

Descriptor code

2

Automation

You can automate on this message to detect situations when routed traffic is not being QDIO accelerated because of IP filtering rules.

Example

EZD2021A QDIO ACCELERATOR IS ENABLED ONLY FOR SYSPLEX DISTRIBUTOR BECAUSE OF POLICY FILTER RULES
Parent topic: EZD2xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014