Resource constraint problems

This topic describes problems that can occur when the IKE daemon experiences shortages of certain system resources. The following table lists system resources that can become constrained when large numbers of remote IKE peers simultaneously attempt to negotiate IPSec tunnels with z/OS®. For each resource, instructions are also provided for alleviating the constraints.

Table 1. Resource constraint problems
Problem	Symptom	Cause/response
Maximum number of messages on system message queue exceeded	Message EZD0970I was issued, which indicates that the C/C++ runtime library function msgsnd() failed with the following error information: 021D - 112 \| 070B031C \| EDC5112I Resource temporarily unavailable.	The IKE daemon uses system message queues to internally route work between different threads. In this case, one of these queues reached its maximum capacity as defined by the IPCMSGQMNUM parameter of the SETOMVS command. This situation occurs when thousands of IKE peers simultaneously attempt to negotiate new or refresh existing security associations with z/OS. To resolve the problem, use the SETOMVS command with the IPCMSGQMNUM parameter to specify a higher message queue capacity.
IKED memory limits exceeded	Message EZD0963I was issued multiple times, which indicates that the IKE daemon cannot allocate memory.	This situation occurs when thousands of IKE peers simultaneously attempt to negotiate new or refresh existing security associations with z/OS. To resolve the problem, increase the amount of virtual storage available to the IKE daemon. For instructions on how to ensure that the IKE daemon's user ID has enough system resources, see Step 2: Ensure the IKE daemon's user ID has enough system resources in z/OS Communications Server: IP Configuration Guide .
UDP queue limits for IKE port exceeded	An unusually high percentage of receive errors is displayed in the UDP statistics section of the NETSTAT STATS/-S report. In some cases when no UDPQUEUELIMIT is specified in the TCPIP profile, you might also see message IST2273E.	The IKE daemon communicates by using UDP ports 500 and 4500. If UDP traffic to one of these ports overruns the capacity of the UDP queue in the TCP/IP stack, you might encounter one or both of the listed symptoms. The capacity of the UDP queue is defined by the UDPQUEUELIMIT parameter of the UDPCONFIG statement in the TCPIP profile data set. When this symptom happens, the TCP/IP stack discards inbound UDP packets in a randomized way until the constrained queue condition is relieved. This situation occurs when thousands of IKE peers simultaneously attempt to negotiate new or refresh existing security associations with z/OS. To resolve the problem, enable Intrusion Detection Services (IDS) for the stack and define a UDP Traffic Regulation rule for the IKE daemon's UDP ports with the VERY_LONG queue size. For more information about IDS and UDP Traffic Regulation, see Traffic regulation policies in z/OS Communications Server: IP Configuration Guide .