z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1726I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1726I
SWSA shadow tunnel installation failed timestamp vpnaction= vpnaction tunnelID= tunID AHSPI= AHindex ESPSPI= ESPindex reason= rsn reason code= rsncode

Explanation

The installation of a Sysplex-Wide Security Associations (SWSA) shadow tunnel for a distributed DVIPA on a target stack failed.

The SWSA function enables a distributing TCP/IP stack to negotiate IPSec tunnels for distributed DVIPAs. The IPSec tunnels are installed on target stacks for the distributed DVIPA as shadow tunnels. SWSA requires that the IP filter policy that applies to the DVIPA be consistent between the target stack and the distributing stack. One reason the tunnel installation might fail is if the IP filter policies are not consistent, therefore the shadow tunnel cannot be installed because the target stack does not have IP filter rules that correspond to that tunnel.

In the message text:
timestamp
Indicates when the installation failure occurred. This time is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This time stamp might be different than the syslogd message time stamp.
vpnaction
The vpnaction name.
  • If configured with the IBM® Configuration Assistant for z/OS® Communications Server, the vpnaction name corresponds to the name of the security level in the GUI. The vpnaction name also contains a suffix appended to the security level name to guarantee uniqueness.
  • If configured in the Policy Agent configuration file, the vpnaction name is the name specified on the IpDynVpnAction statement.
tunID
The tunnel ID.
AHindexis
The AH security parameter index.
ESPindexis
The ESP security parameter index.
rsn
Indicates the specific reason the installation failed.
reason Explanation Comments
1 Error encountered while you try to install the shadow tunnel. See the reason codes below for additional information.
2 Error encountered while you try to install the dynamic filter associated with the shadow tunnel. See the reason codes below for additional information.
3 Target stack is FIPS140 enabled, and the tunnel was not negotiated in FIPS140 compliant mode. A target stack that is enabled for FIPS140 will not accept a tunnel from a distributing stack that is not enabled for FIPS140.
rsncode
Provides additional information about the installation failure.
reason code Explanation Comments
0 No additional information provided. This value is only applicable when reason has a value of 3.
7 The dynamic filter did not match an anchor filter. Ensure that the policy on the target stack is consistent with the policy on the distributing stack.
8 Default policy is in use. The shadow tunnel cannot be installed if the policy from the policy agent is not currently in use.
24 ICSF failure occurred. This message will be preceded by message EZD1730I that indicates the return and reason Codes from ICSF. See the ICSF and TSS Return and Reason Codes in z/OS Cryptographic Services ICSF Application Programmer's Guide for the specific actions to be taken.
25 ICSF is not active. Services from ICSF are required to install this shadow tunnel. ICSF must be started.
114 Tunnel could not be added to internal structures because of duplicates. Contact the IBM Software Support Center.
121 The authentication algorithm provided is not supported. Ensure that the policy on the target stack is consistent with the policy on the distributing stack. Some algorithms are not supported because of export restrictions. Ensure that the algorithm that is being used is supported.
132 Storage shortage Storage to complete the request is not currently available. Determine the cause of the storage failure.
134 The encryption algorithm provided is not supported. Ensure that the policy on the target stack is consistent with the policy on the distributing stack. Some encryption algorithms are not supported because of export restrictions. Ensure that the algorithm that is being used is supported.
1008 The dynamic filter being added conflicted with an existing dynamic filter. Ensure that the policy on the target stack is consistent with the policy on the distributing stack.

See the information about Sysplex-wide Security Associations in z/OS Communications Server: IP Configuration Guide.

System action

The tunnel installation fails; TCP/IP processing continues.

Operator response

None.

System programmer response

Ensure that the IP filter policy on the distributing stack for all traffic pertaining to the distributed DVIPA is correctly mirrored on the target stack. Also, take any additional action dictated by the reason code.

User response

Not applicable.

Problem determination

Not applicable.

Source

z/OS Communications Server TCP/IP: IPSec

Module

ezatrzos.c

Routing code

Not applicable.

Descriptor code

Not applicable.

Automation

Not applicable.

Example

EZD1726I SWSA shadow tunnel installation failed: 04/30/2009 19:47:27.99 vpnaction= IPSec__Gold
tunnelID= Y4 AHSPI= 0 ESPSPI= 3517985610 reason= 3 reason code= 0
Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014