z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1909I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1909I
IP validation failed: the remote identity peer_id does not match remote IP address peer_ip_addr

Explanation

Local policy required that the IP type identity of the internet key exchange (IKE) peer be validated by comparing it to the IP address of the IKE peer. The IP validation failed because the remote identity received from the IKE peer does not match the IP address of the IKE peer.

Additional diagnostic messages with the same message instance number will be issued to identify the impacted Security Association (SA). The message instance number precedes the message number in the log output and is used to group related messages from the IKE daemon.

In the message text:
peer_id
The identity of the IKE peer.
peer_ip_addr
The IP address of the IKE peer.

System action

The SA negotiation fails. IKE daemon processing continues.

Operator response

Contact the system programmer

System programmer response

Locate the KeyExchangeRule statement in the IP Security (IPSec) policy definitions associated with the impacted SA. Set the BypassIPValidation parameter to yes in the associated KeyExchangeAction statement to avoid the IP validation check or change the associated RemoteSecurityEndpoint Identity parameter to include the remote peer IP address. The IP validation check can be overridden globally by using the ByPassIPValidation parameter on the KeyExchangePolicy statement in the IPSec policy. The BypassIPValidation parameter should be set to yes if the RemoteSecurityEndpoint peer is behind a network address translation ( NAT) device.

See the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about configuring policy.

User response

Not applicable.

Problem determination

Not applicable.

Source

z/OS® Communications Server TCP/IP: IKE daemon

Module

CommonDomainOfInterpretation.cpp

Routing code

*

Descriptor code

*

Automation

The message is output to syslog

Example

EZD1909I  IP validation failed: the remote identity 10.83.2.4  does not match  remote IP 
          address 10.84.2.4 
EZD1909I  IP validation failed: the remote identity 2001:db8:10::83:2:2  does  not match 
          remote IP address 2001:db8:10::84:2:2
Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014