SSL SERVER DROPS CONNECTIONS DUE TO EXISTING SCBX CONDITION
APAR Identifier ...... PM83945 Last Changed ........ 14/05/28
SSL SERVER DROPS CONNECTIONS DUE TO EXISTING SCBX CONDITION
Symptom ...... IN INCORROUT Status ........... CLOSED PER
Severity ................... 3 Date Closed ......... 13/09/18
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 610 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 540 : UK97851 available 13/09/24 (1301 )
Release 610 : UK97844 available 13/09/24 (1000 )
Release 620 : UK97845 available 13/09/24 (1302 )
Release 630 : UI12490 available 13/11/13 (1401 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
Customer is using secure FTP connections between two z/VM
hosts. On the local host where the z/VM FTP client is in use,
connections might not be established, as seen with this symptom:
VM TCP/IP FTP Level nnn
Connecting to <hostname> nnn.nn.nn.nn, port 21
220-FTP BANNER for <hostinfo>
FTPSERVE IBM VM Level nnn at <hostname> hh:mm:ss EST ddd yyyy
220 Connection will close if idle for more than 5 minutes.
>>>AUTH TLS
Connection with <hostname> terminated
Foreign host aborted the connection
Ready;
or are seen to drop or end intermittently, possibly for a data
connection only:
ftp <hostname> ( secure
...
Command:
ls fname.*
200 Port request O.>
>>>NLST fname.*
125 List started OK
GetReply returns 125
Unable to secure data connection: (47) Unexpected SSL Server
return code
Command:
...
On the remote host, the FTP server reports this message for the
failed connection:
...
DTCFTS0104E Unable to secure connection nn: (420) Socket
closed by remote partner
...
whereas the (remote) SSL server reports this type of error:
...
DTCSSL107E Internal error: For incoming connection, found SCBX
that is already associated with another session (TCB
0x0783bf10). Dropping the connection.
...
If the NETSTAT ALLCONN command is used to check the status of
connections on the local host, the failed client connections
often will be seen to remain in an unclosed (Close-wait or
FIN-wait-2) state.
LOCAL FIX:
None.
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: All z/VM customers who use the SSL *
* server to secure FTP connections. *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
The described problem occurs because in some instances when a
connection is processed, the SSL server can receive control
block information from the TCP/IP stack that references a
connection that still is open within the SSL server. When this
occurs, the SSL server shuts down the new connection, and
produces the 'DTCSSL107E Internal error' message.
PROBLEM CONCLUSION:
To correct this problem, this APAR implements several
changes, which include:
- Logic changes to close existing, but unused,
connections, when attempted re-use of an open, SSL
server connection is detected.
- Updates to ensure secure connections are closed
after a data transfer has completed
- Removal of idle connections for which no relevant
session control block (SCBX) exists.
TEMPORARY FIX:
COMMENTS:
MODULES/MACROS: SSLDPUMP SSLDSPTC SSLGSKCF SSLSCBEX SSLSTART
SSLTRSIT
SRLS: NONE
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: