z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD0833I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD0833I
Packet denied, tunnel mismatch: timestamp filter rule= rulename ext= instance sipaddr= sipaddr dipaddr= dipaddr proto= proto tag1 tag2 tag3 Interface= ifcaddr ( dir ) dest= dest len= len tunnelID= tunID decap_tunnelID=decap_tunID ifcname= ifcname fragment= frag

Explanation

An inbound IP packet matched the indicated filter rule but was denied because the packet was not encapsulated as specified in the filter rule. For this message to be written, the matched filter rule must have IpFilterLogging set to yes or logdeny.

timestamp is the stack timestamp that indicates the time at which the IP packet was denied by the stack. This time is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp.

rulename is the filter rule name. If the IP packet matched a dynamic filter rule, the rule name of the corresponding anchor filter rule will be displayed; otherwise, the rule name of the matching filter rule will be displayed.
  • In the policy agent configuration file, rulename is the name specified on an IpFilterRule statement.
  • When configured with the IBM® Configuration Assistant for z/OS® Communications Server rulename corresponds to the name of a Connectivity Rule in the GUI. rulename also contains a numeric suffix appended to the Connectivity Rule name to guarantee uniqueness.

instance is the rule name extension that indicates which instance of the rule name was matched.

sipaddr is the source IP address.

dipaddr is the destination IP address.

proto is the protocol from the packet. Possible values are:
  • ICMP(1)
  • IGMP(2)
  • IP(4)
  • TCP(6)
  • UDP(17)
  • ESP(50)
  • AH(51)
  • ICMPv6(58)
  • OSPF(89)
  • IPIP(94)
  • MIPv6(135)
  • Unknown
  • The protocol number
The tag1 value varies depending on the proto value.
  • If the proto value is ICMP or ICMPv6, the tag1 value is type= followed by the ICMP or ICMPv6 type, or followed by the value Unknown if the ICMP header is not present in the packet as the result of fragmentation.
  • If the proto value is TCP or UDP, the tag1 value is sport= followed by the source port, or followed by the value Unknown if the TCP or UDP header is not present in the packet as the result of fragmentation.
  • If the proto value is OSPF, the tag1 value is type= followed by the type, or followed by the value Unknown if the OSPF header is not present in the packet as the result of fragmentation.
  • If the proto value is MIPv6, the tag1 value is type= followed by the type, or followed by the value Unknown if the MIPv6 header is not present in the packet as the result of fragmentation.
  • If the proto value is any value not previously mentioned, the tag1 value is -= which indicates that the data is not applicable.
tag2 value varies depending on the proto value.
  • If the proto value is ICMP or ICMPv6, the tag2 value is code= followed by the ICMP or ICMPv6 code, or followed by the value Unknown if the ICMP header is not present in the packet as the result of fragmentation.
  • If the proto value is TCP or UDP, the tag2 value is dport= followed by the destination port, or followed by the value Unknown if the TCP or UDP header is not present in the packet as the result of fragmentation.
  • If the proto value is any value not previously mentioned, the tag2 value is -= which indicates that the data is not applicable.
tag3 value varies depending on the proto value and direction.
  • If the proto value is TCP or UDP, the direction is inbound, and the port has been translated by the CommServer NAT Traversal function, the tag3 value is origport= followed by the original source port.
  • If the proto value is TCP or UDP, the direction is outbound, and the port has been translated by the CommServer NAT Traversal function, the tag3 value is origport= followed by the original destination port.
  • If the proto value is any value not previously mentioned, the tag3 value is -= which indicates that the data is not applicable.

ifcaddr is the interface address over which the packet was received or sent.

dir is I if packet is inbound, O if packet is outbound.

dest is local if a local destination or routed if being routed.

len is the packet length.

tunID is the tunnel ID for the tunnel specified by the filter rule. A value of N/A indicates that the filter rule permits the IP packet without IPSec protection.

decap_tunID is the tunnel ID for the tunnel used to decapsulate the IP packet. A value of N/A indicates that the IP packet was not IPSec encapsulated.

ifcname is the interface name

frag specifies whether the packet is a fragment. The value is Y if the packet is a fragment, or N if the packet is not a fragment.

System action

TCP/IP processing continues.

Operator response

Contact the system programmer.

System programmer response

Ensure that the filters and tunnel are defined correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax.

Module

EZATRZOS

Example

EZD0821I Packet denied, no tunnel: 07/05/2007 16:19:44.39 filter rule= ipsec-2 ext= 1 
         sipaddr= 9.42.130.185 dipaddr= 10.1.1.1 proto= tcp(6) sport= 80 dport= 1026 -= 
         Interface= 9.1.1.1 (O) secclass= 255 dest= local len= 284 vpnaction= DynAction 
         ifcname= TRLE1AL fragment= N

Procedure name

trmd_ipsec_log

Parent topic: EZD0xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014