When you enable IP security, the TCP/IP stack applies your configured filter policy to IP packets that it receives and sends. Depending on your filter policy, the IP layer might permit packets, deny packets, or protect packets using IPSec. For more information about IP security, see IP security.
QDIO Accelerator processes some packets at the DLC layer, bypassing the IP layer. If such packets were allowed to be routed by QDIO Accelerator, this would prevent the IP layer from performing any special processing for these packets that is required by your filter policy.
When IP security is enabled, sysplex distributor packets are always eligible for acceleration using QDIO Accelerator because the packets are subject to IP filtering at the target stack rather than the distributor stack. However, QDIO Accelerator might not be able to forward routed traffic when IP security is enabled if any of your routed traffic is subject to special processing in your filter policy.
QDIO Accelerator forwards routed traffic only if your IP filter policy and defensive filters explicitly permit all routed traffic without logging. If your IP filter policy and defensive filters do not explicitly permit all routed traffic without logging, QDIO Accelerator does not forward routed traffic and one or more of the following messages is displayed on your console:
TCP/IP issues message EZD2020A if you are currently using the IP filters defined in your TCP/IP profile and one of the following conditions is true:
TCP/IP issues message EZD2021A if you are currently using the IP filters defined in your policy configuration and one of the following conditions is true:
TCP/IP issues message EZD2022A if you are using the Defense Manager daemon (DMD) to manage defensive filter rules, and you have a defensive filter installed that applies to routed traffic.
If you have enabled IP security and you want to allow QDIO Accelerator to forward routed traffic, see Steps to allow QDIO Accelerator to forward routed traffic when IP security is enabled.