An IP packet matched the indicated filter rule but further processing for NAT Traversal caused the packet to be denied. The rsn field provides more detailed information. For this message to be written, the matched filter rule must have IpFilterLogging set to yes.
timestamp is the stack timestamp that indicates the time at which the IP packet was denied by the stack. This time is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp.
rulename is the anchor filter rule name. The value of N/A is displayed when a target stack is processing an inbound packet that was received on the distributing stack as a UDP-encapsulated ESP packet. The packet was decapsulated by the distributor before the distributor forwarded it to the target stack.
instance is the rule name extension that indicates which instance of the rule name was matched. The value of N/A is displayed when a target stack is processing an inbound packet that was received on the distributing stack as a UDP-encapsulated ESP packet. The packet was decapsulated by the distributor before the distributor forwarded it to the target stack.
sipaddr is the source IP address.
dipaddr is the destination IP address.
ifcaddr is the interface address over which the packet was received or sent.
dir is I if packet is inbound, O if packet is outbound.
dest is local if a local destination or routed if being routed.
len is the packet length.
vpnaction is the name specified on the IpDynVpnAction statement for the referenced filter rule.
rsn value | Affected packet | Explanation | Comments |
---|---|---|---|
1 | Inbound TCP or UDP packet. | An internal error occurred when attempting to create a NAT Resolution Filter. | |
2 | Inbound TCP or UDP packet. | No storage could be allocated for a NAT Resolution Filter. | Storage to complete the request is not currently available. Until the storage shortage is relieved, packets will continue to be discarded. |
3 | Inbound TCP or UDP packet. | Unable to allocate a NAT Resolution Filter. The tunnel over which the packet was received cannot be found for the filter rule that the packet matched. | This could be the result of a policy mismatch between the peers. For example, an inbound packet that is received in the clear (for example, not encapsulated) but matches on a filter rule that specifies encapsulation. |
4 | Inbound non-TCP/UDP/ICMP packet | An inbound packet with a protocol not equal to TCP(6), UDP(17), or ICMP(1) matched on a NAT Traversal Anchor Filter. | When the IKE peer is a security gateway or the IKE peer is behind an NAPT, only inbound packets with a protocol value of TCP, UDP, or ICMP are supported over the UDP-encapsulated ESP tunnel. |
5 | Outbound TCP or UDP packet. | Unable to locate a matching NAT Resolution Filter. | When the IKE peer is a security gateway or the IKE peer is behind an NAPT, the NAT Resolution Filter is needed to determine which tunnel should be used for outbound packets. Data must be initiated from the client behind the security gateway or the client behind the NAPT. |
6 | Outbound non-TCP/UDP/ICMP packet | An outbound packet with a protocol not equal to TCP(6), UDP(17), or ICMP(1) matched on a NAT Traversal Anchor Filter. | When the IKE peer is a security gateway or the IKE peer is behind an NAPT, only outbound packets with a protocol value of TCP, UDP, or ICMP are supported over the UDP-encapsulated ESP tunnel. |
7 | Inbound ICMP packet | The tunnel over which the packet was received cannot be found for the filter rule that the ICMP packet matched. | This could be the result of a policy mismatch between the peers. |
8 | Outbound ICMP packet | Unable to locate the tunnel to use for the outbound packet. The outbound ICMP packet is not in response to an inbound packet. | When the IKE peer is a security gateway or the IKE peer is behind an NAPT, an outbound ICMP packet can be sent only over a UDP-encapsulated ESP tunnel in response to an inbound packet. For example, an Echo response can be sent in response to an Echo Request. Or an ICMP Port Unreachable message can be sent in response to an inbound UDP packet. |
9 | Outbound ICMP packet | Unable to locate the tunnel to use for the outbound packet. The outbound ICMP packet cannot use the same tunnel as the inbound request. | When the IKE peer is a security gateway or the
IKE peer is behind an NAPT, an outbound ICMP packet can be encapsulated
and sent over a tunnel if the following are true:
If, for example, separate tunnels are negotiated for UDP and ICMP traffic, an outbound ICMP port unreachable packet cannot be sent over the same tunnel as the inbound UDP packet that triggered the ICMP outbound packet. When the IKE peer is a security gateway or the IKE peer is behind an NAPT and UDP-encapsulated ESP tunnels are being used, consideration should be given to using tunnels that encompass all protocols. |
10 | Inbound or outbound TCP packet | Unable to accept the TCP packet because the IPSec policy for the TCP connection has changed. The connection was initiated as clear text traffic but is now using a UDP-encapsulated tunnel or vice versa. | When a TCP connection traverses a NAT, the connection must be restarted after a filter policy change that causes the connection's traffic to change from IPSec-protected traffic to clear text, or from clear text to IPSec-protected traffic. |
11 | Outbound packet | Unable to determine the local host public address for use in the IP header of the inner packet. | When the IKE peer is a security gateway and the NAT is in front of the local host, an outbound packet can be encapsulated and sent over a tunnel only if a packet has first been received inbound over the tunnel. Data must be initiated from the client behind the security gateway. |
12 | Inbound TCP or UDP packet | An internal error occurred when attempting to create a NAT Resolution Filter. |
ifcname is the interface name
frag specifies whether the packet is a fragment. The value is Y if the packet is a fragment, or N if the packet is not a fragment.
The packet is dropped and TCP/IP processing continues.
If the rsn value is 10, restart the TCP connection. Otherwise, contact the system programmer.
rsn value | System programmer response |
---|---|
1 | Contact the IBM® Software Support Center. |
2 | Determine the cause of the storage shortage. See z/OS Communications Server: IP Diagnosis Guide information about storage shortages. |
See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS® UNIX shell to obtain information about the ipsec command syntax and options.
Not applicable.
Not applicable.
z/OS Communications Server TCP/IP: TRMD
EZATRZOS
Not applicable.
Not applicable.
Not applicable.
EZD0832I Packet denied by NAT Traversal Processing: 07/05/2007 16:19:44.39 filter rule= ipsec-2 ext= 1
sipaddr= 9.42.130.185 dipaddr= 10.1.1.1 proto= tcp(6) sport= 1026 dport= 80 -=
Interface= 9.1.1.1 (I) secclass= 255 dest= local len= 284 vpnaction= DynAction rsn= 4
ifcname= TRLE1AL fragment= N
trmd_ipsec_log