Why am I seeing the error message EZD0815I Packet denied by policy...(I) dest= routed?

Question & Answer

Question

I coded my IPv4 filter rule IPSECR NOLOG PROTOCOL * to permit all inbound (I) and outbound (O) packets. My understanding was that:

Specifying '*' for src_ipaddr allows any source IP address to match.
Specifying '*' for dest_ipaddr allows any destination IP address to match.

So, this is what the IPSEC statement in my TCPIP profile looks like:

  IPSEC  
      LOGENABLE  
      LOGIMPLICIT  
       IPSECR * * NOLOG PROTOCOL *  
     ENDIPSEC

But in syslogd the following message appeared for inbound packets:
EZD0815I Packet denied by policy...(I) dest= routed
Why are inbound packets being denied?

Answer

By not specifying ROUTING on the IPv4 filter rule, you allow ROUTING to LOCAL, which is the default value.

LOCAL indicates that the rule applies to packets that are destined for this stack only. Dest= routed in message EZD0815I indicates that the packet being processed is being forwarded by this stack. Thus, the rule does not apply to any packets that are being forwarded by this stack, and the packets are denied.

If you want to permit the packets that are being forwarded by the stack, change your IPSECR statement to:

 IPSECR * * NOLOG PROTO * ROUTING EITHER

EITHER indicates that the rule applies to both forwarded and non-forwarded packets.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
13 August 2015

UID

dwa1208038

Tips