PH03789: EZD0833I PACKET DENIED TUNNEL MISMATCH WRONG IPSEC FILTER DELETED

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• There are cases where an incorrect dynamic filter is being
  deleted when a SWSA tunnel and shadows are deleted. This can
  occur if SWSA tunnel has the same SaID Yxx identification as an
  existing active tunnel protecting different traffic.  One of the
  most common scenarios involves a SWSA tunnel being deleted due
  to VPNLIFE expiring, with other active tunnels using the same
  SaID as the deleted SWSA tunnel
  
  Verification steps:
  
  1) swsa tunnel add failure producing....
  
  EZD1726I SWSA shadow tunnel installation failed: 10/03/2018
  10:11:29.78 vpnaction= VPN_AES-256 tunnelID= Yxxx AHSPI= 0
  ESPSPI= xxxxxxxxx reason= 2 reason code= 1008
  
  also the following XCF systcpip ctrace exception record will be
  cut:
  
  !Tgt Filter Add Fail with retcode x3F0 (1008)
  
  
  2) mismatch failures
  
  EZD0833I Packet denied, tunnel mismatch:
  
  Note the EZD0833I message will only be logged if DENY filter
  logging is enabled in the IPSEC policy
  
  The below message is an example of a case where the dyn filter
  is deleted. The decap_tunnelID indicates that the packet was
  decapsulated by an existing tunnel. But the tunnelID =N/A
  indicates that the matching rule is not a dynamic filter.
  
  EZD0833I Packet denied, tunnel mismatch: 10/02/2018 15:31:25.74
  filter rule= xxxxx ext= 2 sipaddr= x.x.x.x dipaddr= y.y.y.y
  proto= tcp(6) sport= 1234 dport= 5678 -=
  Interface= x.x.x.x (I) dest= local len= xx tunnelID= N/A
  decap_tunnelID= Y98 ifcname= OSAI fragment= N
  
  The message text below only applies to a reset packet being sent
  in clear when DVLOCALFLTR enabled will cause the following
  EZD0833I message:
  
  EZD0833I Packet denied, tunnel mismatch: 09/25/2018 15:46:26.56
  filter rule= xxxxxxx ext= 2 sipaddr= x.x.x.x dipaddr=
  y.y.y.y proto= tcp(6) sport= 62514 dport= 35981 -=
  Interface= i.i.i.i (I) dest= local len= 40
  tunnelID= Y233 decap_tunnelID= N/A ifcname= OSA fragment= N
  
  The key is the decap_tunnelID = N/A, which indicates a packet
  arrived in the un-encrypted and the len = 40 , which represents
  the IP packet length of a RESET packet
  

Local fix

• code VPNLIFE = 0 for the SWSA Phase2 / ChildSa SAs
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All users of the IBM Communications Server for z/OS Version  *
  * 2 Releases 2 and 3: IPsec                                    *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * When an IPsec tunnel is deleted, the wrong inbound and       *
  * outbound dynamic filters can be deleted.                     *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply PTF                                                    *
  ****************************************************************
  When there is more than one dynamic filter with the same tunnel
  ID number (e.g. Y111) under the same configured anchor filter, a
  delete operation deletes the first dynamic filter in the chain.
  This can result in the deletion of the wrong dynamic filter.
  A secondary problem addressed by this APAR is that a TCP reset
  message can be incorrectly sent in the clear when the client and
  server IP addresses are on the same stack and the target is on a
  different stack. IP filtering was being bypassed for the TCP
  reset message in limited cases.
  The V2R2 APAR addresses an additional problem where the TCP/IP
  stack abends with EZAPQMSG(HIP6220 15.077)+0008C2 S0C4/00000038.
  

Problem conclusion

• The code was amended to add additional checking when determining
  the dynamic filter to be deleted.
  The code was also amended to ensure that IP filtering is done
  for a TCP reset message when the DVLOCALFLTR function is enabled
  and the client and server IP addresses are on the same stack.
  The V2R2 code was amended to set the interface pointer
  preventing the S0C4 abend.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI59443 UI59444

Modules/Macros

• EZBISADD EZBTCRDG EZBCTFME EZBISDEL EZBXFSWS EZBIPOUT
  

Fix information

• Fixed component name

  TCP/IP MVS

• Fixed component ID

  5655HAL00

Applicable component levels

• R230 PSY UI59444

     UP18/11/28 P F811

• R220 PSY UI59443

     UP18/11/28 P F811

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.