Explanation
An IP packet matched the indicated filter rule
but no matching tunnel was found. For this message to be written,
the matched filter rule must have IpFilterLogging set to yes.
timestamp is
the stack timestamp that indicates the time at which the IP packet
was processed by the stack. This time is retrieved from the system
time-of-day clock, which usually reflects coordinated universal time
(UTC). This timestamp might be different than the syslogd message
timestamp.
rulename is the filter rule
name. If the IP packet matched a dynamic filter rule, the rule name
of the corresponding anchor filter rule will be displayed; otherwise,
the rule name of the matching filter rule will be displayed.
- In the policy agent configuration file, rulename is
the name specified on the IpFilterRule statement.
- When configured with the IBM® Configuration
Assistant for z/OS® Communications
Server, rulename corresponds to the name of a Connectivity
Rule in the GUI. rulename also contains a suffix
appended to the Connectivity Rule name to guarantee uniqueness.
instance is the rule name extension
that indicates which instance of the rule name was matched.
sipaddr is
the source IP address.
dipaddr is the destination
IP address.
proto is the protocol from
the packet. Possible values are:
- ICMP(1)
- IGMP(2)
- IP(4)
- TCP(6)
- UDP(17)
- ESP(50)
- AH(51)
- ICMPv6(58)
- OSPF(89)
- IPIP(94)
- MIPv6(135)
- Unknown
- The protocol number
The
tag1 value varies depending on
the
proto value.
- If the proto value is ICMP or ICMPv6, the tag1 value
is type= followed by the ICMP or ICMPv6 type, or followed
by the value Unknown if the ICMP header is not present
in the packet as the result of fragmentation.
- If the proto value is TCP or UDP, the tag1 value
is sport= followed by the source port, or followed by the
value Unknown if the TCP or UDP header is not present
in the packet as the result of fragmentation.
- If the proto value is OSPF, the tag1 value
is type= followed by the type, or followed by the value Unknown if
the OSPF header is not present in the packet as the result of fragmentation.
- If the proto value is MIPv6, the tag1 value
is type= followed by the type, or followed by the value Unknown if
the MIPv6 header is not present in the packet as the result of fragmentation.
- If the proto value is any value not previously
mentioned, the tag1 value is -= which indicates
that the data is not applicable.
tag2 value varies depending on the
proto value.
- If the proto value is ICMP or ICMPv6, the tag2 value
is code= followed by the ICMP or ICMPv6 code, or followed
by the value Unknown if the ICMP header is not present
in the packet as the result of fragmentation.
- If the proto value is TCP or UDP, the tag2 value
is dport= followed by the destination port, or followed by
the value Unknown if the TCP or UDP header is not
present in the packet as the result of fragmentation.
- If the proto value is any value not previously
mentioned, the tag2 value is -= which indicates
that the data is not applicable.
tag3 value varies depending on the
proto value
and direction.
- If the proto value is TCP or UDP, the direction
is inbound, and the port has been translated by the CommServer NAT
Traversal function, the tag3 value is origport=
followed by the original source port.
- If the proto value is TCP or UDP, the direction
is outbound, and the port has been translated by the CommServer NAT
Traversal function, the tag3 value is origport= followed
by the original destination port.
- If the proto value is any value not previously
mentioned, the tag3 value is -= which indicates
that the data is not applicable.
ifcaddr is the interface address over
which the packet was received or sent.
dir is I if
packet is inbound, O if packet is outbound.
secclass is
the security class assigned to the interface. Security class is a
numeric value in the range of 0–255.
dest is local if
a local destination or routed if being routed.
len is
the packet length.
vpnaction is the vpnaction
name. If no tunnel is associated with the matched filter,
vpnaction displays
N/A.
- In the policy agent configuration file, the vpnaction value
is one of the following:
- If the tunnel is a manual tunnel, vpnaction is
the name specified on the IpManVpnAction statement.
- If the tunnel is a dynamic tunnel, vpnaction is
the name specified on the IpDynVpnAction statement.
- When configured with the IBM Configuration
Assistant for z/OS Communications
Server, the vpnaction name corresponds to the name
of the security level in the GUI. The vpnaction name
also contains a suffix appended to the security level name to guarantee
uniqueness.
ifcname is the interface name
frag specifies
whether the packet is a fragment. The value is Y if
the packet is a fragment, or N if the packet is not
a fragment.
System action
TCP/IP processing continues.
Operator response
Contact the system programmer.
System programmer response
For manual tunnels, verify that
the IPSecurity policy defined a tunnel and that the time conditions
are correct.
For dynamic tunnels, this can message can
occur if the tunnel is not found and AllowOnDemand No is specified
in the policy. If this traffic should be allowed, either activate
the tunnel using the ipsec command or change the policy to
allow OnDemand negotiations of Security Associations.
- In the policy agent configuration file, take the following actions:
- Set the time conditions by using the IpTimeCondition statement.
Time conditions can be included in an IpFilterRule statement or in
an IpManVpnAction statement.
- Set AllowOnDemand on either the IpFilterPolicy statement or on
an IpLocalStartAction statement.
- When configured with the IBM Configuration
Assistant for z/OS Communications
Server, take the following actions:
- Set the time conditions in the Advanced Settings panel of a security
level that is defined as a manual tunnel or in the Connectivity Rule
Advanced IPSec: Filter Logging / Effective Time panel
- Set AllowOnDemand on the Connectivity Rule Advanced IPSec: Dynamic
Tunnels: How to Activate panel.
User response
Problem determination
Source
z/OS Communications
Server TCP/IP: TRMD
Module
Routing code
Descriptor code
Automation
Example
EZD0821I Packet denied, no tunnel: 07/05/2007 16:19:44.39 filter rule= ipsec-2 ext= 1
sipaddr= 9.42.130.185 dipaddr= 10.1.1.1 proto= tcp(6) sport= 80 dport= 1026 -=
Interface= 9.1.1.1 (O) secclass= 255 dest= local len= 284 vpnaction= DynAction
ifcname= TRLE1AL fragment= N