Steps for diagnosing IP security problems
Diagnose IP security problems.
Procedure
Perform the following steps:
- Issue pasearch -v a to see all IP security
policies that are active in policy agent. See z/OS Communications Server: IP System Administrator's Commands for more information about the pasearch
-v a command. If you are running multiple stacks, ensure
that pasearch is reporting on the stack you are interested in. See Diagnosing Policy Agent problems if you do not see the IP security
policies that you expected Tips:
- IP security policies that are active in the Policy Agent might not be active in the stack. Issue ipsec -f display and locate the Source field to determine the source of the policy that is active in the stack. If the Source field indicates Stack Policy, then the policy that is active in the Policy Agent corresponds to the policy that is active in the stack.
- Defensive filters are not defined in the policy agent configuration file so defensive filters are not displayed by pasearch.
- Issue ipsec -f display to see how the
stack mapped your IpFilterPolicy statement. See z/OS Communications Server: IP System Administrator's Commands for more information about the ipsec -f command. If
you are running multiple stacks, ensure that your resolver configuration
correctly identifies the stack you are interested in. Ensure that
your IP security policies are correctly defined. See the IP security information in z/OS Communications Server: IP Configuration Guide. Tip: When the command ipsec -f display command is issued with a scope of -c current, any defensive filters installed in the stack will be displayed along with IP security filters.
Parent topic: Diagnosing IP security and defensive filter problems