AMPX036I ASSERTION FAILURE CHECKING ERROR RUNNING SSL
APAR Identifier ...... PK16654 Last Changed ........ 06/10/25
AMPX036I ASSERTION FAILURE CHECKING ERROR RUNNING SSL
Symptom ...... IN INCORROUT Status ........... CLOSED PER
Severity ................... 3 Date Closed ......... 06/01/25
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 510 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 510 : UK11186 available 06/01/26 (0601 )
Release 520 : UK11187 available 06/01/26 (0602 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
VM TCPIP is running with CHECKCONSISTENCY parameter coded in the
ASSORTEDPARMS statement and receives the following errors
after implementing an ssl server (SSLSERV):
.
AMPX036I ASSERTION FAILURE CHECKING ERROR
TRACE BACK OF CALLED ROUTINES
ROUTINE STMT AT ADDRESS IN MODULE
FILLNODEKEY 7 00DFF21E TCTREEP
CHECKTREEVISITNODE 53 00E01F9C TCTREEP
NLTreeTr 98 00E31390
CHECKTREE 7 00E02392 TCTREEP
TREECONSISTENCY 2 00E02CD6 TCTREEP
CONSISTENCYCHECKER 92 00C77EF2 TCCONSI_CONSI
Schedule 2082 00D061EC
<MAIN-PROGRAM> 14 00C501FE TCPIP
VSPASCAL 00E51142
.
Problem is recreatable in lab environment.
LOCAL FIX:
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: All z/VM TCP/IP users running consistency *
* checking while the SSL server is running. *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
The establishment of a TCP/IP connection to a secure user or
secure port causes an assertion error when CHECKCONSISTENCY
is specified on the ASSORTEDPARMS statement in the TCP/IP
Configuration file.
PROBLEM CONCLUSION:
Consistency checking is turned on to validate internal
TCP/IP structures. One of the structures that is validated is
the TCP Connection Tree. This tree contains an entry for each
connection and is tied to a corresponding TCB. There is a key
for each entry which is made up of the foreign address, foreign
port, local address and local port for that connection. When
the structure is validated, the corresponding fields in the TCB
are compared to the fields in the key. A mismatch results in an
assertion error.
There is code in the TCP/IP stack which changes the LocalPort
field in the TCB for a secure connection but does not change
the corresponding key in the connection tree. This causes the
mismatch stated above and the resulting assertion failure.
Code has been added so that whenever a change is made to one
of the fields in the TCB used to form the key in the connection
tree, the corresponding entry in the connection tree is deleted
prior to the change and then added back in with the new key
after the change is made. This affects the following modules:
TCPREQU, TCPSSL, TCSOCKRE and TCPUP. A small change was also
made to TCTREEP to use the correct value, TcpConnTreeSize, for
the Expected Total when reporting the statistics for the
connection tree.
TEMPORARY FIX:
COMMENTS:
MODULES/MACROS: TCPIP TCPREQU TCPSSL TCPUP TCSOCKRE
TCTREEP
SRLS: NONE
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: