Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
EZD1795I z/OS Communications Server: IP Messages Volume 2 (EZB, EZD) SC27-3655-01 |
|
EZD1795I A matching IpFilterRule with an IpDynVpnAction was not found
for protecting proto_name traffic between local_ip local_selector_type local_selector
and remote_ip remote_selector_type remote_selector ExplanationAn IKE negotiation failed because a matching IpFilterRule statement could not be found or because the IpFilterRule statement that was found did not have an associated IpDynVpnAction statement in the policy agent configuration file. When the connectivity rules in the GUI are configured with the IBM® Configuration Assistant for z/OS® Communications Server, they correspond to the policy agent configuration IpFilterRule statements. The security levels that use dynamic tunnels in the GUI correspond to the IpDynVpnAction statements. In the message
text:
System actionThe Security Association (SA) negotiation fails; IKE daemon processing continues. Operator responseNone. System programmer responseIf the specified traffic is to be protected by a dynamic SA, then update the configuration. If the remote system is behind a NAT, ensure that the remote_ip in the filter rule is the public address of the peer system. If the remote system is behind a gateway behind a NAT, ensure the remote_ip in the filter rule is the public address of the gateway. If you are updating the configuration without the IBM Configuration Assistant for z/OS Communications Server, update the IpFilterPolicy statement to define an IpFilterRule statement with an IpDynVpnAction statement for the traffic pattern identified in the message. See the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about configuring policy. If you are updating the configuration with the IBM Configuration Assistant for z/OS Communications Server, update the TCP/IP stack connectivity rules so that the specified traffic is protected by a security level that uses a dynamic tunnel. See the online help in the GUI for additional information. User responseNot applicable. Problem determinationNone. Sourcez/OS Communications Server TCP/IP: IKE daemon ModuleCommonIPsecSA.cpp Routing code11 Descriptor code7 AutomationThis message is output to the syslog. Example
|
Copyright IBM Corporation 1990, 2014
|