EZD0811I   Decapsulation failed: timestamp sipaddr= sipaddr dipaddr= dipaddr proto= proto vpnaction= vpnaction tunnelID= tunID AHSPI= AHindex ESPSPI= ESPindex rsn=rsn ICSF Return Code= return_code ICSF Reason Code = reason_code ikeport= ikeport

Explanation

The IPSec packet cannot be decapsulated by the receiving stack and is discarded.

timestamp indicates when the decapsulation failure occurred. This time is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp.

sipaddr is the source IP address.

dipaddr is the destination IP address.

proto is the protocol. Possible values are:
  • ICMP(1)
  • IGMP(2)
  • IP(4)
  • TCP(6)
  • UDP(17)
  • ESP(50)
  • AH(51)
  • ICMPv6(58)
  • OSPF(89)
  • IPIP(94)
  • The protocol number
vpnaction is the vpnaction name. If no tunnel is found, vpnaction displays N/A.
  • In the Policy Agent configuration file:
    • If the tunnel is a manual tunnel, vpnaction is the name specified on the IpManVpnAction statement.
    • If the tunnel is a dynamic tunnel, vpnaction is the name specified on the IpDynVpnAction statement.
  • When configured with the IBM® Configuration Assistant for z/OS® Communications Server, the vpnaction name corresponds to the name of the security level in the GUI. The vpnaction name also contains a suffix appended to the security level name to guarantee uniqueness.

tunID is the tunnel ID. If the value of vpnaction is N/A, a tunnel with matching end points and security parameter indices (spi) could not be found.

AHindex is the AH security parameter index.

ESPindex is the ESP security parameter index.

rsn indicates the specific reason decapsulation failed.
rsn Value Explanation Comments
1 Decryption failed This problem might be caused by a transmission error or by a sender error. For manual tunnels, this might be the result of a policy definition error.
2 AH authentication failed This problem might be caused by a transmission error or by a sender error.

For manual tunnels, this might be the result of a policy definition error. This problem might also be caused by a failure in an ICSF service. If so, the specific failure will be reported on the ICSF Return Code and ICSF Reason Code fields.

3 ESP authentication failed This problem might be caused by a transmission error or by a sender error.

For manual tunnels, this might be the result of a policy definition error. This problem might also be caused by a failure in an ICSF service. If so, the specific failure will be reported on the ICSF Return Code and ICSF Reason Code fields.

4 Out of Replay window A transmission error might have occurred or a packet might have been delayed.
6 Unknown authentication algorithm An internal error occurred while authenticating the packet.
7 Unknown encryption algorithm An internal error occurred while decrypting the packet.
8 No tunnel found for AH SPI This message might be the result of a timing condition. On tunnel activation this message might be seen if packets are sent while one tunnel endpoint has the tunnel installed and the other tunnel endpoint does not. In this case, this is a transient condition and no action is required.

For manual tunnels, this might be the result of a policy definition error. This message can also be the result of a transmission error or a sender error.

9 No tunnel found for ESP SPI This message might be the result of a timing condition. On tunnel activation this message might be seen if packets are sent while one tunnel endpoint has the tunnel installed and the other tunnel endpoint does not. In this case, this is a transient condition and no action is required.

For manual tunnels, this might be the result of a policy definition error. This message can also be the result of a transmission error or a sender error.

10 More than one tunnel matched during decapsulation This might be due to one of the following problems:
  • For manual tunnels, there is an error in the spi values specified in the policy definition.
  • The packet is protected by nested tunnels and z/OS is the endpoint for more than 1 of these tunnels. This configuration is not supported by z/OS
11 IPSec headers did not match tunnel definition The policy, either the AH policy, the ESP policy, or both, defined for the tunnel did not match the IPSec protocols in the packet. For example, the policy specified encryption was required but no ESP header was found. For manual tunnels, this is most likely a policy definition error.
12 AH and ESP headers not in expected sequence For manual tunnels, this might be a result of a policy definition error.
13 Storage shortage Storage to complete the request is not currently available. Until the storage shortage is relieved, decapsulation will fail.
14 Encrypted data length is not a multiple of 8 bytes or 16 bytes if AES encryption or decryption is being used This problem might be caused by a transmission error or by faulty encryption of the data by the sender.
15 No data was sent in the packet This problem might be caused by a transmission error or by a sender error.
16 The packet is too small to contain the AH or ESP header This problem might be caused by a transmission error or by a sender error.
17 Invalid IP option length This problem might be caused by a transmission error or by a sender error.
18 UDP Encapsulation mismatch Either the packet was UDP-encapsulated and the tunnel did not indicate UDP encapsulation or the packet was not UDP-encapsulated and the tunnel expected UDP encapsulation.
19 Nested UDP-encapsulated headers This configuration is not supported by z/OS.
24 Failure in ICSF Service The ICSF Return Code and the ICSF Reason Code fields contain the return and reason codes that were returned from the ICSF service.
25 ICSF is not available Either ICSF is not active or it has not completed initialization.
26 Encapsulation mismatch The packet encapsulation did not match the local tunnel policy.

return_code is the return code value, in hexadecimal format, returned from the ICSF service.

reason_code is the reason code value, in hexadecimal format, returned from the ICSF service.

ikeport is the source port from the UDP encapsulation header. If the packet is not UDP encapsulated, the ikeport value is N/A.

System action

TCP/IP processing continues.

Operator response

Contact the system programmer.

System programmer response

The system programmer response depends on the rsn value:
rsn Value System programmer response
1, 2, 3 If the problem is transient, no action is required. For manual tunnels, verify that the security parameters and encryption keys on the IpManVpnAction statement are correctly defined. When configured with the IBM Configuration Assistant for z/OS Communications Server, the IpManVpnAction name corresponds to the name of the security level in the GUI. The IpManVpnAction name also contains a suffix that is appended to the security level name to guarantee uniqueness. For more details about the IpManVpnAction statement, see the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference. Otherwise, ensure that the tunnel is defined correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax and options.

If the problem was due to an ICSF failure, then see the information about the ICSF and TSS Return and Reason Codes in z/OS Cryptographic Services ICSF Application Programmer's Guide for the specific actions to be taken.

4 If the problem is transient, no action is required. Otherwise, ensure that the tunnel is defined and activated correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. The ipsec command can also be used to refresh or activate a tunnel. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax and options.
6, 7 Contact the IBM Software Support Center.
8, 9 If the problem is transient, no action is required. For manual tunnels, verify the security parameters and encryption keys on the IpManVpnAction statement are correctly defined. For more details about the IpManVpnAction statement, see the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference. Otherwise, ensure that the tunnel is defined and activated correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. The ipsec command can also be used to refresh or activate a tunnel. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec in a z/OS UNIX shell to obtain information about the ipsec command syntax and options.
10 Ensure that the tunnel is defined correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax and options.
11, 12 For manual tunnels, verify the security parameters and encryption keys on the IpManVpnAction statement are correctly defined. For more details about the IpManVpnAction statement, see the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference. Otherwise, ensure that the tunnel is defined correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax and options.
13 Determine the cause of the storage shortage.
14, 15, 16, 17 If the problem is transient, no action is required. Otherwise, ensure that the tunnel is defined correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax and options.
18, 19 Ensure that the tunnel is defined correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax and options.
24 See the information about the ICSF and TSS Return and Reason Codes in z/OS Cryptographic Services ICSF Application Programmer's Guide for the specific actions to be taken.
25 Start ICSF if it is not active.
26 Contact the IBM Software Support Center.

Module

EZATRMD

Procedure name

trmd_ipsec_log