QDIO ACCELERATOR IS ENABLED ONLY FOR SYSPLEX DISTRIBUTOR
BECAUSE OF POLICY FILTER RULES
Explanation
QDIO Accelerator will accelerate only Sysplex Distributor
traffic. Routed traffic cannot be accelerated for one of the following
reasons:
- The current IP security filters in your policy configuration do
not explicitly permit all routed traffic.
- Filter logging is enabled for routed traffic in your policy configuration.
To satisfy your configured IP filters, routed traffic
must be processed by the TCP/IP stack, where IP filtering is implemented.
System action
Processing continues with QDIO Accelerator enabled
only for sysplex distributor traffic.
Operator response
Contact the system programmer.
System programmer response
No action is required if any of the
following conditions are true:
- Your security policy requires some routed traffic to be denied
- Your security policy requires some routed traffic to be protected
using IPsec
- Your security policy requires some routed traffic to be subject
to filter logging
- You do not want to use QDIO acceleration for your routed traffic
If your security policy allows all routed traffic to be
permitted and does not require any routed traffic to be subject to
filter logging, you can change the IP security filters in your policy
configuration so that QDIO Accelerator is enabled for routed traffic.
To do this, modify your policy configuration:
- If you are using the IBM® Configuration
Assistant for z/OS® Communications
Server to configure your IPSec policy:
- Ensure that the first connectivity rule that applies
to routed IPv4 traffic specifies a topology of filtering only,
applies to all IPv4 addresses, and uses a requirement map that maps
all IP protocols and all security classes to a security level of Permit.
Tip: Your connectivity rule might apply to both
local and routed traffic. If your security policy does not allow you
to permit all local traffic, split this rule into two rules, one that
applies to filtering for routed traffic, and one that applies to filtering
for local traffic.
- Ensure that this connectivity rule specifies that filter matches
are not to be logged.
- Otherwise, if you are manually configuring your IPSec policy:
- Ensure that the first IpFilterRule statement whose associated
IpService statement has a Routing specification of Routed or Either
permits all IPv4 addresses, permits all protocols and all security
classes, and has a Direction specification of Bidirectional.
Tip: If your rule has a Routing specification
of Either, it applies to both local and routed traffic. If your security
policy does not allow you to permit all local traffic, split this
IpFilterRule into two filter rules, one with a Routing specification
of Routed and one with a Routing specification of Local.
- Ensure that this IpFilterRule statement's associated IpGenericFilterAction
statement does not specify an IpFilterLogging setting of Yes to enable
filter logging.
For more information, see QDIO Accelerator and IP security in z/OS Communications Server: IP Configuration
Guide.
User response
Problem determination
Source
z/OS Communications
Server TCP/IP
Module
EZBISSFT, EZBISPSW, EZBIPEPR
Routing code
Descriptor code
Automation
You can automate on this message to detect situations
when routed traffic is not being QDIO accelerated because of IP filtering
rules.
Example
EZD2021A QDIO ACCELERATOR IS ENABLED ONLY FOR SYSPLEX DISTRIBUTOR BECAUSE OF POLICY FILTER RULES