Why is message EZD0917I issued when activating a Phase 1 Security Association?

Question & Answer

Question

When attempting to activate a Phase 1 security association, we get the following message:

 EZD0917I Could not find applicable KeyExchangeRule - LocalIp : LSIP
           RemoteIp : RSIP  LocalID : LSID RemoteID : RSID

How do we avoid this message?

Answer

EZD0917I is displayed to show why the attempt to activate the Phase 1 security association failed. In this case, it failed because the Internet Key Exchange (IKE) daemon could not find an applicable KeyExchangeRule statement for the specified classification. The classification consists of a 4-tuple that is comprised of:

LocalSecurityEndpoint Location (LSIP)
LocalSecurityEndpoint Identity (LSID)
RemoteSecurityEndpoint Location (RSIP)
RemoteSecurityEndpoint Identity (RSID)

In order for IKE to establish a phase 1 SA, it must first locate an applicable phase 1 policy. **KeyExchangeRule**s encapsulate phase 1 policy for IKE.

When IKE needs to locate a KeyExchangeRule statement, it performs a search of the configured KeyExchangeRule statements, supplying specific values or Any for each parameter of the classification 4-tuple.

Use the pasearch -v k -r command to review the configured KeyExchangeRule statements:

If there is no KeyExchangeRule statement that corresponds to the classification 4-tuple that is given on the EZD0917I message, configure a new KeyExchangeRule statement as needed.
If the remote system is behind a NAT, ensure that the RemoteSecurityEndpoint location in the KeyExchangeRule is the public address of the remote system.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
31 August 2015

UID

dwa1211187

Tips