z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1787I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1787I
Received unsupported IKEv2 traffic selector specification

Explanation

The Internet Key Exchange (IKE) daemon does not support a traffic selector specification that it received from an IKEv2 peer. The IKE daemon does not support the following types of traffic selectors:
  • Traffic selectors that use a distinct set of port values instead of a contiguous range; these traffic selectors are called disjoint traffic selectors. If the peer is acting as an initiator, the IKE daemon attempts to find a pairing of its proposed traffic selectors that is not disjoint. However, if the peer is acting as a responder, the IKE daemon cannot accept a counter-proposal that contains disjoint traffic selectors, so it fails the tunnel activation.
  • Traffic selectors that are asymmetrical; for example, traffic selectors that contain ICMP type 13 in one direction, but ICMP type 14 in the other direction. If the peer is acting as an initiator, the IKE daemon attempts to find a pairing of its proposed traffic selectors that is not asymmetrical. If the peer is acting as a responder and its returned traffic selectors are asymmetrical, the IKE daemon fails the tunnel activation.
  • Traffic selectors that contain port, type, or code specifications for any protocol other than TCP, UDP, ICMP, ICMPv6, or MIPv6. RFC 5996 Internet Key Exchange (IKEv2) Protocol makes provisions for negotiating port, type, and code values for these protocols. If the peer is acting as an initiator, the IKE daemon attempts to find a pairing of its proposed traffic selectors that has recognizable port, type, and code specifications. If the peer is acting as a responder and its returned traffic selectors contain any unrecognized port, type, or code specifications, the IKE daemon fails the tunnel activation. See Related protocol specifications for information about accessing RFCs.

To perform further diagnosis, enable the formatted packet trace option in your IkeSyslogLevel configuration settings, and retry tunnel activation. Your syslog contains the exact traffic selector values that the peer is proposing.

System action

The tunnel activation fails; IKE daemon processing continues.

Operator response

None.

System programmer response

Contact the administrator of the remote IKE peer node to modify their policies so that the resulting traffic selectors are compatible with the restrictions listed above.

User response

Not applicable.

Problem determination

None.

Source

z/OS® Communications Server TCP/IP: IKE daemon

Module

IKEv2DomainOfInterpretation.cpp

Routing code

11

Descriptor code

7

Automation

This message is output to syslog

Example

EZD1787I Received unsupported IKEv2 traffic selector specification
Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014