Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
EZD0832I z/OS Communications Server: IP Messages Volume 2 (EZB, EZD) SC27-3655-01 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EZD0832I Packet denied by NAT Traversal Processing: timestamp filter
rule= rulename ext= instance sipaddr= sipaddr dipaddr= dipaddr
proto= proto tag1 tag2 tag3
Interface= ifcaddr ( dir )
dest= dest len= len vpnaction=vpnaction
rsn=rsn ifcname= ifcname fragment= frag ExplanationAn IP packet matched the indicated filter rule but further processing for NAT Traversal caused the packet to be denied. The rsn field provides more detailed information. For this message to be written, the matched filter rule must have IpFilterLogging set to yes. timestamp is the stack timestamp that indicates the time at which the IP packet was denied by the stack. This time is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp. rulename is the anchor filter rule name. The value of N/A is displayed when a target stack is processing an inbound packet that was received on the distributing stack as a UDP-encapsulated ESP packet. The packet was decapsulated by the distributor before the distributor forwarded it to the target stack. instance is the rule name extension that indicates which instance of the rule name was matched. The value of N/A is displayed when a target stack is processing an inbound packet that was received on the distributing stack as a UDP-encapsulated ESP packet. The packet was decapsulated by the distributor before the distributor forwarded it to the target stack. sipaddr is the source IP address. dipaddr is the destination IP address. proto is the
protocol from the packet. Possible values are:
The tag1 value varies depending on
the proto value:
tag2 is one of the following:
tag3value varies depending on the proto value
and direction:
ifcaddr is the interface address over which the packet was received or sent. dir is I if packet is inbound, O if packet is outbound. dest is local if a local destination or routed if being routed. len is the packet length. vpnaction is the name specified on the IpDynVpnAction statement for the referenced filter rule. rsn is the reason code that indicates
the specific NAT Traversal processing error. The rsn is
one of the following:
ifcname is the interface name frag specifies whether the packet is a fragment. The value is Y if the packet is a fragment, or N if the packet is not a fragment. System actionThe packet is dropped and TCP/IP processing continues. Operator responseIf the rsn value is 10, restart the TCP connection. Otherwise, contact the system programmer. System programmer responseUnless a specific response is based
on the rsn value shown in the following table,
ensure that the filters and tunnel are defined correctly on the sending
and receiving systems. Use the ipsec command to
display filter and tunnel information.
See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS® UNIX shell to obtain information about the ipsec command syntax and options. User responseNot applicable. Problem determinationNot applicable. Sourcez/OS Communications Server TCP/IP: TRMD ModuleEZATRZOS Routing codeNot applicable. Descriptor codeNot applicable. AutomationNot applicable. Example
Procedure nametrmd_ipsec_log |
Copyright IBM Corporation 1990, 2014
|