The Internet Key Exchange (IKE) daemon attempted to initiate a new Security Association (SA) with a remote security endpoint that is behind a NAT performing port translation (NAPT). The z/OS® IKE daemon cannot initiate such a Security Association but can respond to negotiations with a remote security endpoint behind an NAPT.

A new SA of this configuration type is not supported because there might be problems with future negotiations and traffic flow. See the information about NAT traversal considerations in z/OS Communications Server: IP Diagnosis Guide for more information. z/OS is providing NAT traversal support for a defined group of configurations where z/OS is running IKE. A description of the supported configurations is provided in configuration scenarios supported for NAT traversal in z/OS Communications Server: IP Configuration Guide.

Additional diagnostic messages that have the same message instance number will be issued to identify the impacted SA. The message instance number precedes the message number in the log output and is used to group related messages from the IKE daemon.

In the message text:

phase

The phase (1 or 2) that the negotiation was in when the error occurred.