Manual Chapter : Troubleshooting

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 15.0.1, 15.0.0, 14.1.0
Manual Chapter

Troubleshooting

PEM troubleshooting

Follow these general troubleshooting suggestions when using Policy Enforcement Manager (PEM):
  • If enforcement policies are not enforced as expected, on the VLAN screen for all VLANs set up to receive incoming subscriber traffic, verify that you set
    CMP Hash
    to
    Source Address
    .
  • If static subscriber policies are not enforced as expected, verify whether you enforced any global, high precedence policies with conflicting actions.
  • When sending traffic without RADIUS, the unknown subscriber policy (if specified) is assigned to the first flows from dynamic or static subscribers. Subscriber policies are applied to subsequent flows.
    An unknown subscriber policy needs to be specified, if there is at least one dynamically provisioned subscriber.
  • Policy changes are applied to new and existing flows within a reasonable time.
  • For applications with connections initiated from the Internet (FTP, RTSP, TFTP), the BIG-IP® system needs to have
    CMP Hash
    set to
    Destination Address
    on the Internet VLAN. In this case, the end-to-end IP addresses have to be preserved; therefore, SNAT should be disabled on all the virtual servers that the applications will use.
  • When importing static subscribers, the file is uploaded in chunks of 1000 subscribers. The system performs a validation check on each chunk. If a validation fails, the subscribers in the current chunk and subsequent chunks are not imported. However, the subscribers loaded in previous chunks are imported onto the system.
PEM can use 3rd party database, custom DB or iRule for URL categorisation. The onbox 3rd party database is limited to the 20M most used URL and is updated regularly.

Steering troubleshooting

  • In case of service chains (w-steering), set
    CMP Hash
    to
    Source Address
    on all the VLANs for which the w-steering action is to be applied.
  • For response-side classification, steering, w-steering, and cloning actions are applied after the results (based on destination IP address and port) are cached in the classification database (srdb). Actions are not applied for the first six flows, by default. (This behavior is configurable by the DB variable
    tmm.pem.srdb.entry.step
    .)

RADIUS troubleshooting

  • If static subscribers are not working as expected with RADIUS, check whether you selected the same
    Subscriber ID Type
    in the
    radiusLB
    profile (
    Local Traffic
    Profiles
    Services
    RADIUS
    ) as that assigned when creating the static subscriber. (
    IMSI
    in the static subscriber corresponds to
    3GPP IMSI
    in the RADIUS profile;
    E164
    to
    Calling Station ID
    , and
    NAI
    to
    User Name
    .)
  • The RADIUS message also needs to specify the same
    Subscriber ID Type
    as the RADIUS profile. So make sure that if you select
    IMSI
    , the IMSI number exists in the RADIUS message. This also applies to the
    user-name
    for NAI, and
    calling station-id
    for E164.

Gx interface to PCRF troubleshooting

  • If you change the IP address of the Gx server in the listener, the change takes effect after you restart TMM using the command:
    bigstart restart tmm
    .
  • For Gx usage monitoring, the threshold is defined on the Policy and Charging Rules Function (PCRF).

Bandwidth control with PEM troubleshooting

  • Do not use dynamic bandwidth control policies in preconfigured enforcement policies (either global or subscriber) when the bit rate is managed by the PCRF through PCC dynamic rules.
  • Do not use dynamic bandwidth control policies in global enforcement policies if they are also used in subscriber policies.
  • For bandwidth controller to work with PCRF, you need to create a default dynamic bandwidth controller with the name
    dynamic_spm_bwc_policy
    , with eight categories named
    cat1
    to
    cat8
    (all set to 100 percent). You must choose a proper max-rate value for this bandwidth controller (typically, close to network capacity dedicated to subscriber traffic).
    This bandwidth controller is intended for internal usage only and should not be used for other purposes.

Active sessions troubleshooting (retrieving subscriber data or BIG-IP system information)

  • When the BIG-IP system receives policy information from the PCRF for a subscriber, you can verify the active policies on the subscriber session, the subscriber type (static or dynamic) and view subscriber statistics by checking
    Active Sessions
    (
    Policy Enforcement
    Subscribers
    Active Sessions
    ).
  • If you have a static subscriber without an IP address, no active session is created. The incoming RADIUS message has the IP information for the static subscriber and a session is created based on this. When the radius message arrives, verify both the new session and policy attached to the session.
  • You can view subscriber information with multiple IP addreses. Static subscribers can have more than two IP addresses of either IPv4 or IPv6 and up to a maximum of 16. Dynamic subscribers can have one IPv4 IP address and one IPv6 IP address.
  • If your subscriber type is dynamically provisioned, then your assigned policy can be based on a predefined PCC rule or dynamic PCC rule.
  • For information about uplink and downlink traffic (byte count and flows), check (
    Policy Enforcement
    Subscribers
    Statistics
    ).
  • You can auto-refresh the subscriber session information for 10 to 300 seconds.
  • There is a hold time for new subscriber sessions. To change the provisioning hold time, you can use the sys db variable key:
    tmm.pem.session.ip-addr.max
    .

iRules® troubleshooting

  • While running the script, if the BIG-IP system receives an error, ignore the error and implement the next custom action script. Although this is the default behaviour, it is possible to change it with the sys db variable key:
    pem.tcl.action.error.abort
    .
  • If policy priority, event priority, and the rule precedence is the same, then there is no guarantee of order of execution.
  • You can use iRule commands to set accounting report interval, but set the accounting interval larger than the BIG-IP interval configuration for the accounting report interval to be effective.

IPsec troubleshooting

  • For IPsec to work with Policy Enforcement Manager (PEM), disable the DB variable
    ipsec.lookupspi
    .

Subscriber and policies active sessions

You can view session records based on subscriber ID or session IP. Policy Enforcement Manager contains the information presented in this table. You can access this is in
Active Sessions
(
Policy Enforcement
Subscribers
Active Sessions
).
Field
Description
ID
A unique identifier (up to 64 characters) for the subscriber initiating the session, such as a phone number. The subscriber ID type determines the format.
ID type
The format of the subscriber ID attribute. It can be E.164, IMSI, NAI, or Private (RFC 4006).
Subscriber Type
Specifies a dynamically or statically subscriber.
Calling Station
Radius Attribute Value Pair (AVP) type 31 (3GPP TS 29.061 V9.6.0).
Called Station
Radius Attribute Value Pair (AVP) type 30 (3GPP TS 29.061 V9.6.0.
Tower
Specifies the cell tower where subscriber information goes through.
User Name
Displays the format name name@domain.
IMSI
International Mobile Subscriber Identity. A globally unique code number that identifies a GSM, UMTS, or LTE mobile phone user.
IMSEISV
International Mobile Station Equipment Identity Software Version. A globally unique code number that identifies a GSM, UMTS, LTE, or iDEN mobile phone.
Predefined
Specifies the predetermined policy(ies) assigned to the subscriber.
Dynamic
Specifies the dynamic PCC rule applied.
Statistics
Specifies active session statistical information that includes subscriber and session IP identity attributes, assigned policy, and traffic flow information.

Active sessions statistics

You can view subscriber uplink and downlink traffic information. Policy Enforcement Manager contains the information presented in this table.
Field
Description
Data Format
Specifies how the system presents the statistics information. The default is
Normalized
.
Auto Refresh
Automatically updates the screen information at the interval you specify. For example, if you select
60 seconds
from the list, the system updates the displayed screen information every 60 seconds. The default is
Disabled
. When you specify an automatic-refresh interval, the system presents a
Stop
button for halting the operation, and counts down the seconds to the next update. Select
Disabled
to turn off automatic refreshing.
Session IP
Specifies the session IP address. The IP address is in either IPv4 or IPv6 format.
Subscriber ID
Specifies a unique identifier subscriber ID.
Uplink
Specifies traffic volume from the subscriber to network.
Downlink
Specifies traffic volume from the network to subscriber.
Current
Specifies current number of flows.
Maximum
Specifies maximum number of open flows.
Total
Specifies accumulated number of flows ever opened by the subscriber.

Configuring subscriber activity log

You can configure the activity logs of the selected subscribers by subscriber or session activity.
  1. On the Main tab, click
    Policy Enforcement
    Subscribers
    Activity Log
    Configuration
    .
    The Configuration screen opens.
  2. From the
    Log Publisher
    list, select the log publisher that was created. You can create a log publisher in the system at
    System
    Logs
    Configuration
    Log Publishers
    .
  3. From the
    Subscriber Type
    list, select
    Dynamic
    (for dynamic provisioning) or
    Static
    (for static provisioning) subscriber.
  4. In the
    Subscriber ID
    field, type a unique identifier (up to 64 characters) for the subscriber, such as IMSI .
  5. Using the Log Subscriber Activity setting, add each subscriber ID to the log settings.
    1. Type the
      Subscriber ID
      .
    2. Click
      Add
      .
  6. To configure settings of the activity logs by sessions, use the Log Session Activity setting to add each session IP to the log settings.
    1. Type the
      Session IP
      address.
    2. Click
      Add
      .
  7. Click
    Update
    .
    Policy Enforcement Manager starts generating the subscriber activity logs for the configured subscribers.
You have configured the activity logs settings. Policy Enforcement Manager applies the log settings you assigned and lists subscriber activity and session information.