Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
EZD0833I z/OS Communications Server: IP Messages Volume 2 (EZB, EZD) SC27-3655-01 |
|
EZD0833I Packet denied, tunnel mismatch: timestamp filter
rule= rulename ext= instance sipaddr= sipaddr dipaddr= dipaddr
proto= proto tag1 tag2 tag3
Interface= ifcaddr ( dir )
dest= dest len= len tunnelID= tunID
decap_tunnelID=decap_tunID ifcname= ifcname fragment= frag ExplanationAn inbound IP packet matched the indicated filter rule but was denied because the packet was not encapsulated as specified in the filter rule. For this message to be written, the matched filter rule must have IpFilterLogging set to yes or logdeny. timestamp is the stack timestamp that indicates the time at which the IP packet was denied by the stack. This time is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp. rulename is the filter rule name.
If the IP packet matched a dynamic filter rule, the rule name of
the corresponding anchor filter rule will be displayed; otherwise,
the rule name of the matching filter rule will be displayed.
instance is the rule name extension that indicates which instance of the rule name was matched. sipaddr is the source IP address. dipaddr is the destination IP address. proto is the protocol from
the packet. Possible values are:
The tag1 value varies depending on
the proto value.
tag2 value varies depending on the proto value.
tag3 value varies depending on the proto value
and direction.
ifcaddr is the interface address over which the packet was received or sent. dir is I if packet is inbound, O if packet is outbound. dest is local if a local destination or routed if being routed. len is the packet length. tunID is the tunnel ID for the tunnel specified by the filter rule. A value of N/A indicates that the filter rule permits the IP packet without IPSec protection. decap_tunID is the tunnel ID for the tunnel used to decapsulate the IP packet. A value of N/A indicates that the IP packet was not IPSec encapsulated. ifcname is the interface name frag specifies whether the packet is a fragment. The value is Y if the packet is a fragment, or N if the packet is not a fragment. System actionTCP/IP processing continues. Operator responseContact the system programmer. System programmer responseEnsure that the filters and tunnel are defined correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax. ModuleEZATRZOS Example
Procedure nametrmd_ipsec_log |
Copyright IBM Corporation 1990, 2014
|