EZD2027I

Explanation
Negotiation of a UDP encapsulated security association
(SA) following a dynamic virtual IP address (DVIPA) takeover was denied.
When
performing UDP encapsulation, the z/OS® host
is limited to acting in responder mode when the remote peer is behind
a network address port translation (NAPT) device, or is acting as
a security gateway. See Configuration scenarios
supported for NAT traversal in z/OS Communications Server: IP Configuration
Guide for more information.
Additional diagnostic
messages that have the same message instance number will be issued
to identify the impacted SA. The message instance number precedes
the message number in the log output and is used to group related
messages from the Internet Key Exchange (IKE) daemon.
In the
message text:major.minor
The major and minor version of the IKE protocol for the SA.
generation
The number used to differentiate SAs for the same tunnel. The
first SA created for a tunnel is number 1.
ID
The tunnel prefix and number used to identify the tunnel. The
tunnel prefix is K for an IKE tunnel and Y for a dynamic tunnel.

System action
 The SA for the DVIPA was not reestablished; IKE
daemon processing continues.

Operator response
 Examine the IKE syslog to determine the remote
peer. Attempt to recover the SA by initiating the SA negotiation from
the remote security endpoint. See Configuration
scenarios supported for NAT traversal in z/OS Communications Server: IP Configuration
Guide for more information.

System programmer response
 None.

User response
 Not applicable.

Problem determination
 Not applicable.

Source
 z/OS Communications
Server TCP/IP: IPSec

Module
 CommonIPsecSA.cpp

Routing code
 Not applicable for syslog message.

Descriptor code
 Not applicable for syslog message.

Automation
 This message goes to the syslog.

Example
 EZD2027I Initiation of UDP encapsulated IKE version 2.0 security association 0 
for tunnel Y0 is not permitted following DVIPA takeover; 
the remote peer is behind an NAPT or is acting as a security gateway