A fix is available
APAR status
Closed as program error.
Error description
Existing IKEv2 VPNs continue to reKey based on IPSEc policy RefreshLifetime settings on each peer. This continues until the IKE Daemon finds that the certificate used when creating the IKE_SA (phase1) IKEv2 SA is reaching it's expiration date/time. IkED will trim reKey time until it eventually reaches a 600 second expiration time. If IKE SyslogLevel 4 (DEBUGSA) is set, then the following message will be seen in the IKE debug syslogd output file when this occurs identified in the SA context information just prior to the following message: IKE DEBUGSA : Security association lifetime trimmed from xxxx to 600 due to digital certificate expiration The problem also involves simultaneous reKeying of peers, so the following messages will also be seen for the same IKE_SA SAid (K# and generation): EZD1796I Simultaneous rekeying of IKE version 2.0 security association xx for tunnel Kx detected EZD1791I IKE version 2.0 security association xx for tunnel Kx will not be rekeyed EZD1756I The request for INFORMATIONAL exchange with message ID 0 from x.x.x.x port 500 to y.y.y.y port 500 will not be processed because the IKE SA initial exchanges are not complete
Local fix
a recycle of IKED will cause the hung IKE_SA to be deleted. This will now allow any new onDemand tunnels to be successfully created as long as a new/current certificate has been installed on the NSSD keyRing to replace the one that expired.
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of the IBM Communications Server for z/OS Version * * 2 Releases 2 and 3: IKED * **************************************************************** * PROBLEM DESCRIPTION: * * When both security endpoints of an IKEv2 IKE_SA use a * * certificate that expires at the same time, a window exists * * where both endpoints can end up with an IKE SA in a * * permanent WAIT KE state when the certificate expires. If * * this occurs no new SAs can be created between the two * * endpoints. * **************************************************************** * RECOMMENDATION: * * Apply PTF * ****************************************************************
Problem conclusion
The code was amended to prevent IKE SAs remaining in a permanent WAIT KE state when both security endpoint certificates expire at the same time.
Temporary fix
Comments
APAR Information
APAR number
PH00771
Reported component name
TCP/IP MVS
Reported component ID
5655HAL00
Reported release
220
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-07-20
Closed date
2018-09-25
Last modified date
2018-12-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI58712 UI58713
Modules/Macros
EZAI2CIS EZAISLOG EZAI2CSE EZAIKFIN EZAI2ISA EZANMVSC
Fix information
Fixed component name
TCP/IP MVS
Fixed component ID
5655HAL00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
12 December 2018