z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZZ8670I

z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)
SC27-3657-01

EZZ8670I
TRMD TCP connection reset due to constrained out-of-order queue detected: date time connid= connid jobname= jobname lipaddr= lipaddr lport= lport ripaddr= ripaddr rport= rport trigger= trigger dataage= dataage bytesqueued= bytesqueued queuesize= queuesize correlator= correlator probeid= probeid sensorhostname= sensorhostname

Explanation

The specified TCP connection was reset because the out-of-order queue for the connection was constrained and Intrusion Detection Services (IDS) policy for the TCP queue size attack type specified that connections with constrained queues should be reset. The out-of-order queue was constrained because excessive or old data had accumulated on the queue.

In the message text:
date
The date when the connection was reset.
time
The time when the connection was reset.
connid
The ID of the connection that was reset.
jobname
The job name of the connection that was reset.
lipaddr
The local IP address of the connection that was reset.
lport
The local port of the connection that was reset.
ripaddr
The remote IP address of the connection that was reset.
rport
The remote port of the connection that was reset.
trigger
The condition that triggered the queue to become constrained. This field is one of the following values:
DataAge
The constraint was triggered because data remained on the out-of-order queue for at least 60 seconds.
BytesQueued
The constraint was triggered because a given amount of data remained on the out-of-order queue for at least 30 seconds. This amount is configured in IDS policy using one of four abstract queue sizes.
dataage
The age in seconds of the oldest data on the out-of-order queue when the connection was reset.
bytesqueued
The number of bytes queued on the out-of-order queue when the connection was reset.
queuesize
The configured abstract queue length for the TCP Queue Size IDS attack type. Possible values are:
  • VS - very short
  • S - short
  • L - long
  • VL - very long
correlator
The correlator for a constrained queue condition.
probeid
The unique identifier of the probe detection point. See the intrusion detection services probeids in z/OS Communications Server: IP and SNA Codes for a description of the IDS probe IDs.
sensorhostname
The fully qualified host name of the IDS sensor.

System action

Processing continues.

Operator response

Determine why the local application had excessive or old data on the out-of-order queue. Excessive or old data on the out-of-order queue might be the result of a remote application sending partial data either as an attack or because of a problem with the remote application. Excessive or old data might also be the result of a network problem that prevented data that was sent by the remote application from reaching its destination.

System programmer response

No action is needed.

User response

Not applicable.

Problem determination

See the operator response.

Source

z/OS® Communications Server TCP/IP: TRMD

Module

EZATRMD

Routing code

*

Descriptor code

*

Automation

This message is written to syslogd. This message is a good candidate for automation. Automation can alert you when a TCP connection is reset because the TCP out-of-order queue for the connection entered a constrained state.

Example

EZZ8670I TRMD TCP connection reset due to constrained out-of-order queue detected: 09/09/2008 
17:11:28.55 connid= 00000125 jobname= USER15 lipaddr= 4.4.4.4 lport= 1165 ripaddr= 7.7.7.7 
rport= 5000 trigger= DataAge dataage= 60 bytesqueued= 576 queuesize= S correlator= 137 
probeid= 040A0009 sensorhostname= HOST1.COMPANYA.COM
Parent topic: EZZ8xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014