APAR status
Closed as fixed if next.
Error description
Inbound UDP port 4500 is treated as UDP encap ESP packets used for NAT-T when IPSECURITY is coded for IPCONFIG. No IPSEC tunnels are defined. The inbound packet is discarded when IP tries to find an associated tunnel definition because there are no tunnels defined. This problem can be seen when the Resolver sends queries to the DNS using ephemeral UDP source ports. Queries sent on port 4499 works, port 4501 works. The query with port 4500 is sent outbound and when the reply comes back it is discarded as described earlier. If TRMD is running it will display the following message: EZD0811I Decapsulation failed: 03/13/2006 04:57:32.54 sipaddr= xx.xx.xx.xx dipaddr= yy.yy.yy.yy proto= udp(17) vpnaction= N/A tunnelID= N/A AHSPI= 0 ESPSPI= 1490978176 rsn= 9 . Reason 9 indicates that there is no tunnel defined.
Local fix
Reserve UDP port 4500 (and UDP port 500) in the TCPIP PROFILE so that it is not used as an ephemeral port.
Problem summary
**************************************************************** * USERS AFFECTED: All users of the Communications Server for * * z/OS Version 1 Release 7 IP: IPSECURITY * **************************************************************** * PROBLEM DESCRIPTION: Inbound UDP packets to port 4500 * * discarded inproperly. * **************************************************************** * RECOMMENDATION: * **************************************************************** Inbound UDP packets destine to port 4500 are treated as encapsulated packets when IPSECURITY is coded on the IPCONFIG statement. Inbound UDP packets to port 4500 are discarded due "decapsulation failure". This issue can be avoided if UDP ports 4500 and 500 are reserved in the TCPIP profile, removing them from the ephemeral pool. +-------------------------------------------------------------+ + Please check our Communications Server for OS/390 homepages + + for common networking tips and fixes. The URL for these + + homepages can be found in Informational APAR II11334. + +-------------------------------------------------------------+
Problem conclusion
Temporary fix
Comments
This problem will be tracked as F137481 by Communications Server for z/390 Development.
APAR Information
APAR number
PK23095
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
170
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2006-04-10
Closed date
2006-04-20
Last modified date
2006-04-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
R170 PSN
UP
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"170","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"170","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
20 April 2006