IBM Support

PH18468: AN OVERLAPPING TRAFFIC SITUATION HAS BEEN DETECTED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as fixed if next.

Error description

  • z/OSMF Health Checker flagged new rules as overlapping with
existing rules.

The new rules have more specific "remote data endpoints" and
different "security levels" than the existing rules with which
they overlap (according to the Health Checker).

The new (more-specific) rules were moved above the existing
(less-specific) but the health checker still flagged as
overlapping.

ANALYSIS:
We have consulted with NCA, policy agent, and AT-TLS experts on
your case. The documentation you provided on 9/27 showed that
the NCA health check flagged IBM_ZEN_SERVER and CBP_ZEN_SERVER
as overlapping rules, specifically because their remote data
endpoints overlapped.



IBM_ZEN_SERVER is for inbound traffic for local IP addresses
TN3270_NDC_INT, local port portR2 from remote IP addresses
IBM_RTP_VPN, remote port portR1.  IBM_RTP_VPN includes
172.23.48.0/24, 172.24.0.0/24, 172.25.47.0/24 and 172.26.0.0/24.

CBP_ZEN_SERVER is for inbound traffic for local IP addresses
TN3270_NDC_INT, local port portR2 from remote IP addresses
"All", remote port portR1.



 In the policy file you provided, we see that IBM_ZEN_SERVER has
a priority of 221 and. CBP_ZEN_SERVER has a priority of 219.
That means that IBM_ZEN_SERVER will be checked first. Since it
is a more specific rule that is good.



The health check is flagging the fact that the addresses in
IBM_RTP_VPN overlap with a specification of "All IPv4
addresses".

However, if the behavior you want is to have traffic to
TN3270_NDC_INT port 10801 be treated differently depending on
the remote IP address, this is an acceptable way to configure
that. In this case, traffic from an IBM_RTP_VPN address will be
handled by rule IBM_ZEN_SERVER. Traffic from any other address
will be handled by CBP_ZEN_SERVER which requires client
authentication.



Similarly, IBM_IZUSVR1_SERVER and CBP_IZUSVR1_SERVER are also
flagged due to the overlap between remote addresses IBM_RTP_VPN
and "All IPv4 addresses".



The health check errors are false positives in your case and we
propose taking a FIN APAR to improve that checking.

KNOWN IMPACT:
There is no impact..

Local fix

  • BYPASS/CIRCUMVENTION:
The warning message, as a false positive, can be ignored.

RECOVERY ACTION:
The warning message, as a false positive, can be ignored.

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* All users of V2R4 IBM Configuration                          *
* Assistant for z/OS Communications                            *
* Server (HSMA24A) that use Network                            *
* Configuration Assistant AT-TLS                               *
* Health Check.                                                *
*                                                              *
* All users of V2R3 IBM Configuration                          *
* Assistant for z/OS Communications                            *
* Server (HSMA23A) that use Network                            *
* Configuration Assistant AT-TLS                               *
* Health Check.                                                *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* This APAR is being closed FIN (Fixed If Next) with           *
* concurrence from the submitting customer. This means that a  *
* fix to this APAR is expected to be delivered from IBM in a   *
* release (if any)                                             *
* to be available within the next 36 months.                   *
****************************************************************
* RECOMMENDATION:                                              *
* Verify that overlapping rules are acceptable for your        *
* configuration.                                               *
****************************************************************

Problem conclusion

  • 



Temporary fix


    

  • 



Comments


    

  • This APAR is being closed FIN (Fixed If Next) with concurrence
from the submitting customer. This means that a fix to this APAR
is expected to be delivered from IBM in a release (if any)
to be available within the next 36 months.

    



APAR Information




    

  • APAR number
    PH18468
    • 

  • Reported component name
    Z/MF CONFIG ASS
    • 

  • Reported component ID
    5655S28CA
    • 

  • Reported release
    23A
    • 

  • Status
    CLOSED  FIN
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2019-10-25
    • 

  • Closed date
    2019-10-29
    • 

  • Last modified date
    2019-10-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"23A","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"23A","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            29 October 2019
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback