Question & Answer
Question
When attempting to activate a Phase 1 security association, we get the following message:
EZD0917I Could not find applicable KeyExchangeRule - LocalIp : LSIP
RemoteIp : RSIP LocalID : LSID RemoteID : RSID
How do we avoid this message?
Answer
EZD0917I is displayed to show why the attempt to activate the Phase 1 security association failed. In this case, it failed because the Internet Key Exchange (IKE) daemon could not find an applicable KeyExchangeRule statement for the specified classification. The classification consists of a 4-tuple that is comprised of:
LocalSecurityEndpoint Location (LSIP)
LocalSecurityEndpoint Identity (LSID)
RemoteSecurityEndpoint Location (RSIP)
RemoteSecurityEndpoint Identity (RSID)
In order for IKE to establish a phase 1 SA, it must first locate an applicable phase 1 policy. **KeyExchangeRule**s encapsulate phase 1 policy for IKE.
When IKE needs to locate a KeyExchangeRule statement, it performs a search of the configured KeyExchangeRule statements, supplying specific values or Any for each parameter of the classification 4-tuple.
Use the pasearch -v k -r command to review the configured KeyExchangeRule statements:
If there is no KeyExchangeRule statement that corresponds to the classification 4-tuple that is given on the EZD0917I message, configure a new KeyExchangeRule statement as needed.
If the remote system is behind a NAT, ensure that the RemoteSecurityEndpoint location in the KeyExchangeRule is the public address of the remote system.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
31 August 2015
UID
dwa1211187