Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
EZD1797I z/OS Communications Server: IP Messages Volume 2 (EZB, EZD) SC27-3655-01 |
|
EZD1797I Traffic specification requires NON_FIRST_FRAGMENTS_ALSO but
IKEv2 peer did not send it ExplanationWhen an IP packet that has upper-layer transport
selectors (TCP port, UDP port, ICMP type and code, or MIPv6 type)
is fragmented, only the first fragment contains the transport selectors.
The remaining fragments are known as non-first fragments. There are
potential security risks when you filter these non-first fragments
because the port, type or code values are unknown. Because of these
risks, RFC 5996 Internet Key Exchange (IKEv2) Protocol requires
IKEv2 peers to use the NON_FIRST_FRAGMENTS_ALSO notify payload to
negotiate support for non-first fragments. This negotiation determines
whether non-first fragments are allowed to be carried on the IPSec
Security Association (SA). They are allowed if the SA meets the following
criteria:
z/OS Communications Server does not implement stateful fragment checking, so it does not require the NON_FIRST_FRAGMENTS_ALSO notify payload for SAs that are carrying routed traffic. However, z/OS Communications Server does require the NON_FIRST_FRAGMENTS_ALSO notify payload for SAs that are carrying local traffic because it sends local non-first fragments over the same SA as the first fragments. If the peer does not include this notify payload, it cannot receive the non-first fragments that the z/OS might send over this SA. z/OS will fail the SA negotiation and generate this message, because the peer is not prepared to receive all possible traffic that z/OS Communications Server might send over the SA. System actionThe SA negotiation fails. The IKE daemon processing continues. Operator responseNone. System programmer responseConsult the syslog output to identify other messages that indicate which policy rules relate to the error. To
prevent this failure, perform one of the following actions:
User responseNot applicable. Problem determinationNone. Sourcez/OS Communications Server TCP/IP: IKE daemon ModuleIKEv2TSRequest.cpp, IKEv2TSResponse.cpp Routing code11 Descriptor code7 AutomationThis message is output to syslog. Example
|
Copyright IBM Corporation 1990, 2014
|