We are getting error message EZD1909I. How do we resolve this?

Question & Answer

Question

We are getting this error message when attempting to activate a Security Association:

EZD1909I IP validation failed: the remote identity peer_id does not match remote IP address peer_ip_addr

How do we resolve this issue?

Answer

This message indicates that the local policy required that the IP type identity of the internet key exchange (IKE) peer be validated by comparing it to the IP address of the IKE peer, and that the IP validation failed because the remote identity received from the IKE peer does not match the IP address of the IKE peer.

Additional diagnostic messages with the same message instance number will be issued to identify the impacted Security Association (SA).

Locate the KeyExchangeRule statement in the IP Security (IPSec) policy definitions associated with the impacted SA. Set the BypassIPValidation parameter to yes in the associated KeyExchangeAction statement to avoid the IP validation check or change the associated RemoteSecurityEndpoint Identity parameter to include the remote peer IP address. The IP validation check can be overridden globally by using the ByPassIPValidation parameter on the KeyExchangePolicy statement in the IPSec policy. The BypassIPValidation parameter should be set to yes if the RemoteSecurityEndpoint peer is behind a network address translation (NAT) device.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
08 May 2018

UID

dwa1334644

Tips