Question & Answer
Question
When we TSO telnet from one system to the other, with IPSecurity enabled (IPCONFIG IPSECURITY), we receive the message EZA8262I Permission is denied (8563).
Since we use the IBM Configuration Assistant for z/OS Communications Server to configure, we then selected Enable filter logging on the IPSec: Stack Level Settings panel to get additional tracing. Recreating the problem, we got this message:
EZD0821I Packet denied, no tunnel: timestamp filter rule= rulename ext= instance sipaddr= sipadd dipaddr= dipaddr proto= proto tag1 tag2 tag3 Interface= ifcaddr ( dir ) secclass= secclass dest= dest len= len vpnaction= vpnaction ifcname= ifcname fragment= frag
Answer
EZD0821I indicates that an IP packet matched the indicated filter rule but no matching tunnel was found.
For dynamic tunnels, this message can occur if the tunnel is not found and AllowOnDemand No is specified in the policy. AllowOnDemand No is the default value. If this traffic should be allowed, either activate the tunnel using the ipsec command or change the policy to allow OnDemand negotiations of Security Associations.
In the policy agent configuration file, take the following actions:
◦ Set the time conditions by using the IpTimeCondition statement. Time conditions can be included in an IpFilterRule statement or in an IpManVpnAction statement.
◦ Set AllowOnDemand Yes on either the IpFilterPolicy statement or on an IpLocalStartAction statement.
When configured with the IBM Configuration Assistant for z/OS Communications Server, take the following actions:
◦ Set the time conditions in the Advanced Settings panel of a security level that is defined as a manual tunnel in the Connectivity Rule Advanced IPSec: Filter Logging / Effective Time panel
◦ Set AllowOnDemand on the Connectivity Rule Advanced IPSec: Dynamic Tunnels: How to Activate panel.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
20 October 2017
UID
dwa1213205