SSL SERVER DROPS CONNECTIONS DUE TO EXISTING SCBX CONDITION
APAR Identifier ...... PM83945 Last Changed ........ 14/05/28 SSL SERVER DROPS CONNECTIONS DUE TO EXISTING SCBX CONDITION Symptom ...... IN INCORROUT Status ........... CLOSED PER Severity ................... 3 Date Closed ......... 13/09/18 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 610 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 540 : UK97851 available 13/09/24 (1301 ) Release 610 : UK97844 available 13/09/24 (1000 ) Release 620 : UK97845 available 13/09/24 (1302 ) Release 630 : UI12490 available 13/11/13 (1401 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: Customer is using secure FTP connections between two z/VM hosts. On the local host where the z/VM FTP client is in use, connections might not be established, as seen with this symptom: VM TCP/IP FTP Level nnn Connecting to <hostname> nnn.nn.nn.nn, port 21 220-FTP BANNER for <hostinfo> FTPSERVE IBM VM Level nnn at <hostname> hh:mm:ss EST ddd yyyy 220 Connection will close if idle for more than 5 minutes. >>>AUTH TLS Connection with <hostname> terminated Foreign host aborted the connection Ready; or are seen to drop or end intermittently, possibly for a data connection only: ftp <hostname> ( secure ... Command: ls fname.* 200 Port request O.> >>>NLST fname.* 125 List started OK GetReply returns 125 Unable to secure data connection: (47) Unexpected SSL Server return code Command: ... On the remote host, the FTP server reports this message for the failed connection: ... DTCFTS0104E Unable to secure connection nn: (420) Socket closed by remote partner ... whereas the (remote) SSL server reports this type of error: ... DTCSSL107E Internal error: For incoming connection, found SCBX that is already associated with another session (TCB 0x0783bf10). Dropping the connection. ... If the NETSTAT ALLCONN command is used to check the status of connections on the local host, the failed client connections often will be seen to remain in an unclosed (Close-wait or FIN-wait-2) state. LOCAL FIX: None. PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: All z/VM customers who use the SSL * * server to secure FTP connections. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** The described problem occurs because in some instances when a connection is processed, the SSL server can receive control block information from the TCP/IP stack that references a connection that still is open within the SSL server. When this occurs, the SSL server shuts down the new connection, and produces the 'DTCSSL107E Internal error' message. PROBLEM CONCLUSION: To correct this problem, this APAR implements several changes, which include: - Logic changes to close existing, but unused, connections, when attempted re-use of an open, SSL server connection is detected. - Updates to ensure secure connections are closed after a data transfer has completed - Removal of idle connections for which no relevant session control block (SCBX) exists. TEMPORARY FIX: COMMENTS: MODULES/MACROS: SSLDPUMP SSLDSPTC SSLGSKCF SSLSCBEX SSLSTART SSLTRSIT SRLS: NONE RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: