IBM Support

PH48237: TCP CONNECTION REMAINS IN FINWAIT1 STATE WHEN USING AT-TLS OVER SMCR OR SMCD

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • TCP connect using AT-TLS over SMC-D or SMC-R remains in the
FINWAIT1 state.
The remote application issues a close() which causes the SSL
close notify alert to flow and the SMC indication the remote
socket has closed.  The close_notify alert is processed and a
close_notify alert response is sent to complete the SSL shutdown
of the secured connection.  The local application issues a
shutdown() causing a FIN to be sent and the connection to enter
the FINWAIT1 state.  The close_notify alert response is received
at the remote TCPIP stack which sends a RST in response as
normal behavior for data arriving inbound on a closed
connection.  The RST arrives inbound on the local TCPIP stack
and gets ignored as expected based on the close_notify being
sent after the peer closed.  The FINWAIT1 timer is canceled when
the RST is ignored so the FIN does not get retransmitted.  The
local application issues a close() on the socket but no TCP flow
occurs as the FIN was already sent by the shutdown().  Without
the retransmit timer to resend the FIN no further activity will
occur on the connection and it will remain in the FINWAIT1
state.

VERIFICATION STEPS:
1) Dump TCPIP with the connection remaining in the FINWAIT1
state.
2) Locate the connection and verify it was using SMC.
3) Verify the RST was ignored, IFR51:RstIgnore.

The SYSTCPIP component trace with the TCP option and filtered on
the application jobname will show the sequence of events leading
to the retransmit timer being cancelled.

Local fix

  • RECOVERY ACTION:
Netstat drop  can be used to get rid of the sessions in FINWAIT1
State

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* All users of the IBM Communications Server for z/OS Version  *
* 2 Release 5 IP:  ATTLS and SMC                               *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* TCP connect using AT-TLS over SMC-D or SMC-R remains in the  *
* FINWAIT1 state. The remote application issues a close()      *
* which causes the SSL close notify alert to flow and the SMC  *
* indication the remote socket has closed. The close_notify    *
* alert is processed and a close_notify alert response is sent *
* to complete the SSL shutdown of the secured connection.  The *
* local application issues a shutdown() causing a FIN to be    *
* sent and the connection to enter the FINWAIT1 state.  The    *
* close_notify alert response is received at the remote TCPIP  *
* stack which sends a RST in response as normal behavior for   *
* data arriving inbound on a closed connection. The RST        *
* arrives inbound on the local TCPIP stack and gets ignored as *
* expected based on the close_notify being sent after the peer *
* closed.  The FINWAIT1 timer is canceled when the RST is      *
* ignored so the FIN does not get retransmitted. The local     *
* application issues a close() on the socket but no TCP flow   *
* occurs as the FIN was already sent by the shutdown().        *
* Without the retransmit timer to resend the FIN no further    *
* activity will occur on the connection and it will remain in  *
* the FINWAIT1 state.                                          *
****************************************************************
* RECOMMENDATION:                                              *
* Apply the PTF                                                *
****************************************************************

Problem conclusion

  • Client side SMC code was changed to process a ttls alert if it
is on the inbound queue when there are no normal messages to
read. Server side code was changed to close the connection when
a RST has been ignored.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH48237
    • 

  • Reported component name
    TCP/IP MVS
    • 

  • Reported component ID
    5655HAL00
    • 

  • Reported release
    250
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-07-26
    • 

  • Closed date
    2022-08-08
    • 

  • Last modified date
    2022-10-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
PH41628
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI81857
    

    • 



Modules/Macros


    

  • EZBTCSTR EZBTCFRD

    



Fix information


    

  • Fixed component name
    TCP/IP MVS
    • 

  • Fixed component ID
    5655HAL00
    • 



Applicable component levels


    

  • R250  PSY  UI81857
       UP22/09/10  P  F209
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"250","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 October 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback