EZD0832I

Explanation
 An IP packet matched the indicated filter rule
but further processing for NAT  Traversal caused the packet to be
denied. The rsn field provides more detailed information.
For this message to be written, the matched filter rule must have
IpFilterLogging set to yes. 
 timestamp is
the stack timestamp that indicates the time at which the IP packet
was denied by the stack. This time is retrieved from the system time-of-day
clock, which usually reflects coordinated universal time (UTC). This
timestamp might be different than the syslogd message timestamp.
 rulename is
the anchor filter rule name. The value of N/A  is displayed when a
target stack is processing an inbound packet that was received on
the distributing stack as a UDP-encapsulated ESP packet. The packet
was decapsulated by the distributor before the distributor forwarded
it to the target stack.
 instance is the
rule name extension that indicates which instance of the rule  name
was matched. The value of N/A is displayed when a target stack is
processing an inbound packet that was received on the distributing
stack as a UDP-encapsulated ESP packet. The packet was decapsulated
by the distributor before the distributor forwarded it to the target
stack.
 sipaddr is the source IP address.
 dipaddr is
the destination IP address.
 proto is the
protocol from the packet. Possible values are:    ICMP(1)
IGMP(2)
IP(4)
TCP(6)
UDP(17)
ESP(50)
AH(51)
OSPF(89)
IPIP(94)
MIPv6(135)
Unknown
The protocol number

 The tag1 value varies depending on
the proto value: If the proto value is ICMP, the tag1 value
is type= followed by the  ICMP type, or followed by the value Unknown if
the ICMP header is not present in the packet as the result of fragmentation.
If the proto value is TCP or UDP, the tag1 value
is sport= followed by the  source port, or followed by the
value Unknown if the ICMP header is not present in
the packet as the result of fragmentation.
If the proto value is OSPF, the tag1 value
is type= followed by the  type, or followed by the value Unknown if
the ICMP header is not present in the packet due to fragmentation.
If the proto value is MIPv6, the tag1 value
is type= followed by the type, or followed by the value Unknown if
the MIPv6 header is not present in the packet as the result of fragmentation.
If the proto value is any value not previously
mentioned, the tag1 value is -= which indicates
that the data is not applicable.

 tag2 is one of the following: If the proto value is ICMP, the tag2 value
is  code=  followed by the  ICMP code, or followed by the value Unknown if
the ICMP header is not present in the packet as the result of fragmentation.
If the proto value is TCP or UDP, the tag2 value
is dport= followed by the destination port, or followed by
the value Unknown if the ICMP header is not present
in the packet as the result of fragmentation.
If the proto value is any value not previously
mentioned, the tag2 value is -= which indicates
that the data is not applicable.

 tag3value varies depending on the proto value
and direction: If the proto value is TCP or UDP, the direction
is inbound, and the port has been translated by the Communications
Server NAT Traversal  function, the tag3 value
is origport= followed by the original source port.
If the proto value is TCP or UDP, the direction
is outbound, and the port has been translated by the Communications
Server NAT Traversal  function, the tag3 value
is origport= followed by the original destination port.
If the proto value is any value not previously
mentioned, the tag3 value is -= which indicates
that the data is not applicable.

 ifcaddr is the interface address over
which the packet was received or sent.
 dir is I if
packet is inbound, O if packet is outbound.  
 dest is local if
a local destination or routed if being routed.
 len is
the packet length.
 vpnaction is the name
specified on the IpDynVpnAction statement for the  referenced filter
rule.
 rsn is the reason code that indicates
the specific NAT Traversal processing error. The rsn is
one of the following: rsn value
Affected packet
Explanation
Comments
1
Inbound TCP or UDP packet.
An internal error occurred when attempting to
create a NAT Resolution Filter.

2
Inbound TCP or UDP packet.
No storage could be allocated for a NAT Resolution
Filter.
Storage to complete the request is not currently
available. Until the storage shortage is relieved, packets will continue
to be discarded.
3
Inbound TCP or UDP packet.
Unable to allocate a NAT Resolution Filter.
The tunnel over which the packet was received cannot be found for
the filter rule that the packet matched.
This could be the result of a policy mismatch
between the peers. For example, an inbound packet that is received
in the clear (for example, not encapsulated) but matches on a filter
rule that specifies encapsulation.
4
Inbound non-TCP/UDP/ICMP packet
An inbound packet with a protocol not equal
to TCP(6), UDP(17), or ICMP(1) matched on a NAT Traversal Anchor Filter.
When the IKE peer is a security gateway or the
IKE peer is behind an NAPT, only inbound packets with a protocol value
of TCP, UDP, or ICMP are supported over the UDP-encapsulated ESP tunnel.
5
Outbound TCP or UDP packet.
Unable to locate a matching NAT Resolution Filter.
When the IKE peer is a security gateway or the
IKE peer is behind an NAPT, the NAT Resolution Filter is needed to
determine which tunnel should be used for outbound packets. Data must
be initiated from the client behind the security gateway or the client
behind the NAPT.
6
Outbound non-TCP/UDP/ICMP packet
An outbound packet with a protocol not equal
to TCP(6), UDP(17), or ICMP(1) matched on a NAT Traversal Anchor Filter.
When the IKE peer is a security gateway or the
IKE peer is behind an NAPT, only outbound packets with a protocol
value of TCP, UDP, or ICMP are supported over the UDP-encapsulated
ESP tunnel.
7
Inbound ICMP packet
The tunnel over which the packet was received
cannot be found for the filter rule that the ICMP packet matched.
This could be the result of a policy mismatch
between the peers.
8
Outbound ICMP packet
Unable to locate the tunnel to use for the outbound
packet. The outbound ICMP packet is not in response to an inbound
packet.
When the IKE peer is a security gateway or the
IKE peer is behind an NAPT, an outbound ICMP packet can be sent only
over a UDP-encapsulated ESP tunnel in response to an  inbound packet.
For example, an Echo response can be sent in response to an Echo Request.
Or an ICMP Port Unreachable message can be sent in response to an
inbound UDP packet.
9
Outbound ICMP packet
Unable to locate the tunnel to use for the outbound
packet. The outbound ICMP packet cannot use the same tunnel as the
inbound request.
When the IKE peer is a security gateway or the
IKE peer is behind an NAPT, an outbound ICMP packet can be encapsulated
and sent over a tunnel if the following are true:  The outbound packet is in response to an inbound packet and,
The tunnel used for the inbound packet can be used for the outbound
packet
If, for example, separate tunnels are negotiated for UDP
and ICMP traffic, an outbound ICMP port unreachable packet cannot
be sent over the same tunnel as the inbound UDP packet that triggered
the ICMP outbound packet. When the IKE peer is a security gateway
or the IKE peer is behind an NAPT and UDP-encapsulated ESP tunnels
are being used, consideration should be given to using tunnels that
encompass all protocols.

10
Inbound or outbound TCP packet
Unable to accept the TCP packet because the
IPSec policy for the TCP connection has changed. The connection was
initiated as clear text traffic but is now using a UDP-encapsulated
tunnel or vice versa.
When a TCP connection traverses a NAT, the connection
must be restarted after a filter policy change that causes the connection's
traffic to change from IPSec-protected traffic to clear text, or from
clear text to IPSec-protected traffic.
11
Outbound packet
Unable to determine the local host public address
for use in the IP header of the inner packet.
When the IKE peer is a security gateway and
the NAT is in front of the local host, an outbound packet can be encapsulated
and sent over a tunnel only if a packet has first been received inbound
over the tunnel. Data must be initiated from the client behind the
security gateway.
12
Inbound TCP or UDP packet
An internal error occurred when attempting to
create a NAT Resolution Filter.

 ifcname is the interface name
 frag specifies
whether the packet is a fragment. The value is Y if
the packet is a fragment, or N if the packet is not
a fragment.

System action
  The packet is dropped and TCP/IP processing
continues.

Operator response
 If the rsn value is 10,
restart the TCP connection. Otherwise, contact the system programmer.

System programmer response
 Unless a specific response is based
on the rsn value shown in the following table,
ensure that the filters and tunnel are defined correctly on the sending
and  receiving systems. Use the ipsec command to
display filter and tunnel  information.    rsn value
System programmer response
1
Contact the IBM® Software
Support Center.
2
Determine the cause of the storage shortage.
See  z/OS Communications Server: IP Diagnosis Guide information about storage shortages.

 See the information about managing
network security in z/OS Communications Server: IP System Administrator's
Commands or issue the man ipsec command
 in a z/OS® UNIX shell to obtain information about the ipsec command
syntax and options.

User response
 Not applicable.

Problem determination
 Not applicable.

Source
 z/OS Communications
Server TCP/IP: TRMD

Module
 EZATRZOS

Routing code
 Not applicable.

Descriptor code
 Not applicable.

Automation
 Not applicable.

Example
  EZD0832I Packet denied by NAT Traversal Processing: 07/05/2007 16:19:44.39  filter rule= ipsec-2 ext= 1 
         sipaddr= 9.42.130.185 dipaddr= 10.1.1.1 proto=  tcp(6) sport= 1026 dport= 80 -= 
         Interface= 9.1.1.1 (I) secclass= 255 dest=  local len= 284 vpnaction= DynAction rsn= 4 
         ifcname= TRLE1AL fragment= N

Procedure name
  trmd_ipsec_log