IBM MQ does not replace the network—it depends on reliable TCP between clients, listeners, and remote queue managers. When operators say “MQ is down,” the queue manager process is often healthy while packets never reach port 1414. Network issues manifest as connection refused in LASTCHLERR, endless channel RETRY, client reason code 2059 connection broken, or intermittent failures during long-running batches when firewalls drop idle sessions. Beginners troubleshoot application code while the firewall team has not opened the return path for ephemeral ports. This tutorial teaches layered diagnosis: DNS and CONNAME, listener and port, firewall and NAT, VPN and cloud security groups, MTU and fragmentation, load balancers, and how to collaborate with network teams using evidence from both queue managers—not only ping from a laptop that is not the MQ server host.
The sender queue manager channel initiator opens an outbound TCP connection to CONNAME—for example payments.corp.example.com(1414). The packet crosses corporate routing, possibly NAT, and must arrive at the receiver host where a LISTENER binds the same port. Return traffic must be permitted for established connections. Asymmetric firewall rules—allow outbound from A to B but block return—produce classic “works one way” mysteries. Document the full five-tuple path for production pairs: source IP, source port range, destination IP, destination port, protocol TCP.
| Symptom | Likely cause | Who fixes |
|---|---|---|
| Connection refused | Listener down or wrong port | MQ ops |
| Timeout | Firewall drop or wrong IP | Network |
| Intermittent RETRY | Idle timeout or flaky link | Network + MQ HBINT |
| Works by IP not name | DNS failure | DNS team |
| Fails only large messages | MTU or VPN limit | Network |
CONNAME embeds a hostname or IP and port in MQSC—ALTER CHANNEL CONNAME('host(1414)'). If DNS for host fails on the sending server, connect never starts. If DNS returns a load balancer VIP that does not forward to MQ listener, you see timeout. Test resolution from the actual MQ server host, not from your workstation. After data center migrations, stale DNS entries are a top cause of Monday outages. Prefer fully qualified names in CMDB and CONNAME to avoid ambiguous short names.
1234DISPLAY LSSTATUS('TCP.LISTENER') ALL DISPLAY LISTENER('TCP.LISTENER') PORT TRPTYPE * Sender must match PORT in CONNAME DISPLAY CHANNEL('PARIS.TO.LONDON') CONNAME
LISTENER STATUS must be RUNNING and PORT must match CONNAME on the sender. Multiple listeners on different ports require consistent documentation—partners often connect to 1414 while your new standard is 1415. Cloud images may expose a different external port via NAT than internal PORT attribute. Map external to internal in the firewall ticket explicitly.
Outbound connect from QM_A uses a source port from the ephemeral range on A's host. The firewall must allow return traffic to that port. Stateful firewalls usually handle this; asymmetric ACLs do not. NAT at the edge changes source IP seen by the partner—update ADDRESSMAP CHLAUTH if IP-based rules are used. Long idle channel periods may hit firewall session timeout; heartbeats (HBINT KAINT) keep sessions alive where supported—network and MQ teams should align timeout values with firewall idle timers.
Very large messages over VPN with low MTU can fail or hang while small test messages succeed. Network teams diagnose with MTU ping tests. MQ MAXMSGL on channel and queue must also allow size—network and MQ limits both matter. Do not confuse message size limits with pure network blackholes.
Layer-4 passthrough preserves MQ protocol end-to-end. SSL termination at the balancer requires the balancer to present certificates partners trust and may break mutual TLS unless reconfigured. Sticky sessions help when multiple queue manager instances sit behind VIP—cluster and multi-instance designs need architecture review before load balancer insertion.
MQ messages are the conversation. TCP is the phone line. Network issues mean the phones cannot connect—fixing what you say in the conversation (application code) does not help until the line works.
You are trying to call your friend but the phone wires between your houses are broken—so your message never gets there no matter how loud you shout into the phone.
Write a firewall request ticket for SDR from 10.1.1.5 to listener 10.2.2.5:1414 including return traffic.
Compare symptoms: connection refused versus timeout versus 2035.
List checks when CONNAME hostname works from nslookup but channel still RETRY.
1. CONNAME specifies:
2. Connection refused usually means:
3. XMITQ grows during outage because:
4. DNS failure affects: