z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1795I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1795I
A matching IpFilterRule with an IpDynVpnAction was not found for protecting proto_name traffic between local_ip local_selector_type local_selector and remote_ip remote_selector_type remote_selector

Explanation

An IKE negotiation failed because a matching IpFilterRule statement could not be found or because the IpFilterRule statement that was found did not have an associated IpDynVpnAction statement in the policy agent configuration file.

When the connectivity rules in the GUI are configured with the IBM® Configuration Assistant for z/OS® Communications Server, they correspond to the policy agent configuration IpFilterRule statements. The security levels that use dynamic tunnels in the GUI correspond to the IpDynVpnAction statements.

In the message text:
proto_name
The protocol of the traffic to be protected by the tunnel.
local_ip
The local IP address of the traffic to be protected by the tunnel.
local_selector_type and remote_selector_type
The type of upper-layer selectors to be protected by the tunnel. The selector type value N/A means that the selector type is not applicable.
local_selector
The upper-layer selector of the local traffic to be protected by the tunnel. The local selector value N/A means that the local selector is not applicable.
remote_ip
The remote IP address of the traffic to be protected by the tunnel.
remote_selector
The upper-layer selector of the remote traffic to be protected by the tunnel. The remote selector value N/A means that the remote selector is not applicable.

System action

The Security Association (SA) negotiation fails; IKE daemon processing continues.

Operator response

None.

System programmer response

If the specified traffic is to be protected by a dynamic SA, then update the configuration. If the remote system is behind a NAT, ensure that the remote_ip in the filter rule is the public address of the peer system. If the remote system is behind a gateway behind a NAT, ensure the remote_ip in the filter rule is the public address of the gateway.

If you are updating the configuration without the IBM Configuration Assistant for z/OS Communications Server, update the IpFilterPolicy statement to define an IpFilterRule statement with an IpDynVpnAction statement for the traffic pattern identified in the message. See the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about configuring policy.

If you are updating the configuration with the IBM Configuration Assistant for z/OS Communications Server, update the TCP/IP stack connectivity rules so that the specified traffic is protected by a security level that uses a dynamic tunnel. See the online help in the GUI for additional information.

User response

Not applicable.

Problem determination

None.

Source

z/OS Communications Server TCP/IP: IKE daemon

Module

CommonIPsecSA.cpp

Routing code

11

Descriptor code

7

Automation

This message is output to the syslog.

Example

EZD1795I A matching IpFilterRule with an IpDynVpnAction was not found for  protecting UDP(17) traffic 
         between 1.2.0.1 port 2000 and 1.1.0.1 port 3000
EZD1795I A matching IpFilterRule with an  IpDynVpnAction was not found for protecting IP(4) traffic 
         between 1.2.0.1 N/A  N/A and 1.1.0.1 N/A N/A
Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014