EZD0834I   Encapsulation failed: timestamp sipaddr= sipaddr dipaddr= dipaddr proto= proto vpnaction= vpnaction tunnelID= tunID rsn=rsn ICSF Return Code= return_code ICSF Reason Code = reason_code AHSPI= AHindex ESPSPI= ESPindex

Explanation

The IPSec packet cannot be encapsulated and is discarded.

In the message text:

timestamp
Indicates when the encapsulation failure occurred. This time is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp.
sipaddr
The source IP address.
dipaddr
The destination IP address.
proto
The protocol. Possible values are:
  • ICMP(1)
  • IGMP(2)
  • IP(4)
  • TCP(6)
  • UDP(17)
  • ICMPv6(58)
  • OSPF(89)
  • IPIP(94)
  • The protocol number
vpnaction
The vpnaction name.
  • If configured with the IBM® Configuration Assistant for z/OS® Communications Server, the vpnaction name corresponds to the name of the security level in the GUI. The vpnaction name also contains a suffix that is appended to the security level name to guarantee uniqueness.
  • If configured in the Policy Agent configuration file, the vpnaction value is one of the following:
    • If the tunnel is a manual tunnel, the vpnaction value is the name specified on the IpManVpnAction statement.
    • If the tunnel is a dynamic tunnel, the vpnaction value is the name specified on the IpDynVpnAction statement. If a tunnel is not found, the vpnaction value is N/A.
tunID
The tunnel ID. If the vpnaction value is N/A, a tunnel with matching end points and security parameter indices (spi) could not be found.
rsn
The specific reason encapsulation failed. The rsn value is one of the following:
rsn value Explanation Comments
1 Encryption error An error occurred while trying to encrypt an outbound packet.
2 AH authentication error An error was encountered when trying to authenticate an outbound packet.

This problem might also be caused by a failure in an ICSF service. If so, the specific failure will be reported on the ICSF Return Code and ICSF Reason Code fields.

3 ESP authentication error An error was encountered when trying to authenticate an outbound packet.

This problem might also be caused by a failure in an ICSF service. If so, the specific failure will be reported on the ICSF Return Code and ICSF Reason Code fields.

4 Maximum packet exceeded The addition of ESP headers will cause the maximum packet size to be exceeded.
5 Lifesize exceeded The number of bytes in the outbound packet will cause the lifesize specification to be exceeded for the tunnel.
6 Unknown authentication algorithm An internal error occurred while authenticating the packet.
7 Unknown encryption algorithm An internal error occurred while encrypting the packet.
8 No tunnel found A tunnel was not found for the specified tunnel ID.
9 Sequence numbers were not obtained Sequence numbers could not be obtained from the coupling facility for a distributed tunnel.
10 IP header not valid The IP header of the packet being encapsulated does not contain the same source and destination IP address as specified in the tunnel; transport mode is in effect.
13 Storage shortage Storage to complete the request is not currently available. Until the storage shortage is relieved, encapsulation will fail.
24 Encryption failure in ICSF Service The ICSF Return Code and the ICSF Reason Code fields contain the return and reason codes that were returned from the ICSF service.
25 ICSF is not available Either ICSF is not active or it has not completed initialization.
26 Version mismatch The IP version of the packet did not match the IP version of the tunnel.
27 Encapsulation using transport mode not valid for routed traffic Encapsulation using transport mode was requested but the packet that is being processed is a routed packet. This is most likely the result of a policy definition error.

For manual tunnels, this might occur if routed traffic matches a filter rule referencing an IpManVpnAction statement that specified the transport method HowToEncap. For IPv6, this might occur if a routing header contains an intermediate hop that routed the packet back through the packet's originating system. The tunnel endpoints matched the packet; however, the packet has been routed to this system.

28 Sequence number wrapped The sequence number has wrapped, which indicates that the tunnel has expired. The tunnel will be deleted.
return_code
The return code value, in hexadecimal format, returned from the ICSF service.
reason_code
The reason code value, in hexadecimal format, returned from the ICSF service.
AHindex
The AH security parameter index. If the failure occurred before the AH SPI was known, then n/a is displayed.
ESPindex
the ESP security parameter index If the failure occurred before the ESP SPI was known, then n/a is displayed.

System action

The packet is discarded and TCP/IP processing continues.

Operator response

Contact the system programmer.

System programmer response

The response is based on the rsn value, as shown in the following table.
rsn value System programmer response
1, 2, 3 If the problem is transient, no action is required. For manual tunnels, verify that the security parameters and encryption keys on the IpManVpnAction statement are correctly defined. When configured with the IBM Configuration Assistant for z/OS Communications Server, the IpManVpnAction name corresponds to the name of the security level in the GUI. The IpManVpnAction name also contains a suffix that is appended to the security level name to guarantee uniqueness. For more details about the IpManVpnAction statement, see the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference. Otherwise, ensure that the tunnel is defined correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax and options.

If the problem was due to an ICSF failure, then see the information about the ICSF and TSS Return and Reason Codes in z/OS Cryptographic Services ICSF Application Programmer's Guide for the specific actions to be taken.

4 Contact the IBM Software Support Center.
5, 28 If the problem is transient, no action is required. Otherwise, ensure that the tunnel is defined and activated correctly on the sending and receiving systems. Use the ipsec command to display filter and tunnel information. The ipsec command can also be used to refresh or activate a tunnel. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax and options.
6, 7, 8 Contact the IBM Software Support Center.
9 If the problem is transient, no action is required. Verify that z/OS VTAM® is active and that the Coupling Facility is available and connected.
10 Contact the IBM Software Support Center.
13 Determine the cause of the storage shortage.
24 See the information about the ICSF and TSS Return and Reason Codes in z/OS Cryptographic Services ICSF Application Programmer's Guide for the specific actions to be taken.
25 Start ICSF if it is not active.
26 Contact the IBM Software Support Center.
27 Ensure that the IPSec policy is defined correctly. Ensure that the filter rules for routed traffic do not reference VPN actions that request transport mode. Use the ipsec command to display filter and tunnel information. See the information about managing network security in z/OS Communications Server: IP System Administrator's Commands or issue the man ipsec command in a z/OS UNIX shell to obtain information about the ipsec command syntax.

User response

Not applicable.

Problem determination

Not applicable.

Module

EZATRMD