Question & Answer
Question
What command can I use to verify that a manual IPSEC tunnel between z/OS and a firewall is actually passing data ?
Answer
Obtain the manual tunnel ID by locating the TunnelID field in the ipsec -f display command output. The Tunnel ID for a manual tunnel has a value of M, followed by a positive integer.
Verify that the manual tunnel is active, by issuing the ipsec -m display -a Mxx command, where Mxx is the manual tunnel ID from the tunnel display command.
Locate the State field in the ipsec -m command output and confirm that it indicates Active. If the manual tunnel is not active, then activate the tunnel using the ipsec -m activate command. You might consider updating the IpManVpnAction policy configuration statement to specify Active yes, if it is not already specified. A setting of Active yes causes the manual tunnel state to be set to active when the manual tunnel is installed in the stack, without the additional step of issuing ipsec -m activate. If you are using the IBM® Configuration Assistant for z/OS® Communications Server to configure, you can choose to automatically activate manual tunnels within each Connectivity Rule.
To verify if a manual tunnel is passing data, check the OutboundPackets, OutboundBytes, InboundPackets, and InboundBytes fields in the ipsec -m display command output. Those fields will display the number of packets and bytes flowing inbound and outbound over this tunnel.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
06 August 2015
UID
dwa1206615