Manual Chapter :
Troubleshooting
Applies To:
Show VersionsBIG-IP LTM
- 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP PEM
- 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Troubleshooting
PEM troubleshooting
Follow these general troubleshooting suggestions when using Policy Enforcement
Manager™ (PEM™):
- If enforcement policies are not enforced as expected, on the VLAN screen for all VLANs set up to receive incoming subscriber traffic, verify that you setCMP HashtoSource Address.
- If static subscriber policies are not enforced as expected, verify whether you enforced any global, high precedence policies with conflicting actions.
- When sending traffic without RADIUS, the unknown subscriber policy (if specified) is assigned to the first flows from dynamic or static subscribers. Subscriber policies are applied to subsequent flows.An unknown subscriber policy needs to be specified, if there is at least one dynamically provisioned subscriber.
- Policy changes are applied to new and existing flows within a reasonable time.
- For applications with connections initiated from the Internet (FTP, RTSP, TFTP), the BIG-IP system needs to haveCMP Hashset toDestination Addresson the Internet VLAN. In this case, the end-to-end IP addresses have to be preserved; therefore, SNAT should be disabled on all the virtual servers that the applications will use.
- When importing static subscribers, the file is uploaded in chunks of 1000 subscribers. The system performs a validation check on each chunk. If a validation fails, the subscribers in the current chunk and subsequent chunks are not imported. However, the subscribers loaded in previous chunks are imported onto the system.
PEM™ can use 3rd party database, custom DB or iRule for URL
categorisation. The onbox 3rd party database is limited to the 20M most used URL and is updated
regularly.
Steering troubleshooting
- In case of service chains (w-steering), setCMP HashtoSource Addresson all the VLANs for which the w-steering action is to be applied.
- For response-side classification, steering, w-steering, and cloning actions are applied after the results (based on destination IP address and port) are cached in the classification database (srdb). Actions are not applied for the first six flows, by default. (This behavior is configurable by the DB variable.)tmm.pem.srdb.entry.step
RADIUS troubleshooting
- If static subscribers are not working as expected with RADIUS, check whether you selected the sameSubscriber ID Typein theradiusLBprofile ( ) as that assigned when creating the static subscriber. (IMSIin the static subscriber corresponds to3GPP IMSIin the RADIUS profile;E164toCalling Station ID, andNAItoUser Name.)
- The RADIUS message also needs to specify the sameSubscriber ID Typeas the RADIUS profile. So make sure that if you selectIMSI, the IMSI number exists in the RADIUS message. This also applies to thefor NAI, anduser-namecalling station-idfor E164.
Gx interface to PCRF troubleshooting
- If you change the IP address of the Gx server in the listener, the change takes effect after you restart TMM using the command:bigstart restart tmm.
- For Gx usage monitoring, the threshold is defined on the Policy and Charging Rules Function (PCRF).
Bandwidth control with PEM troubleshooting
- Do not use dynamic bandwidth control policies in preconfigured enforcement policies (either global or subscriber) when the bit rate is managed by the PCRF through PCC dynamic rules.
- Do not use dynamic bandwidth control policies in global enforcement policies if they are also used in subscriber policies.
- For bandwidth controller to work with PCRF, you need to create a default dynamic bandwidth controller with the namedynamic_spm_bwc_policy, with eight categories namedcat1tocat8(all set to 100 percent). You must choose a proper max-rate value for this bandwidth controller (typically, close to network capacity dedicated to subscriber traffic).This bandwidth controller is intended for internal usage only and should not be used for other purposes.
Active sessions troubleshooting (retrieving subscriber data or BIG-IP system
information)
- When the BIG-IP system receives policy information from the PCRF for a subscriber, you can verify the active policies on the subscriber session, the subscriber type (static or dynamic) and view subscriber statistics by checkingActive Sessions( ).
- If you have a static subscriber without an IP address, no active session is created. The incoming RADIUS message has the IP information for the static subscriber and a session is created based on this. When the radius message arrives, verify both the new session and policy attached to the session.
- You can view subscriber information with multiple IP addreses. Static subscribers can have more than two IP addresses of either IPv4 or IPv6 and up to a maximum of 16. Dynamic subscribers can have one IPv4 IP address and one IPv6 IP address.
- If your subscriber type is dynamically provisioned, then your assigned policy can be based on a predefined PCC rule or dynamic PCC rule.
- For information about uplink and downlink traffic (byte count and flows), check ().
- You can auto-refresh the subscriber session information for 10 to 300 seconds.
- There is a hold time for new subscriber sessions. To change the provisioning hold time, you can use the sys db variable key:tmm.pem.session.ip-addr.max.
iRules® troubleshooting
- While running the script, if the BIG-IP system receives an error, ignore the error and implement the next custom action script. Although this is the default behaviour, it is possible to change it with the sys db variable key:pem.tcl.action.error.abort.
- If policy priority, event priority, and the rule precedence is the same, then there is no guarantee of order of execution.
- You can use iRule commands to set accounting report interval, but set the accounting interval larger than the BIG-IP interval configuration for the accounting report interval to be effective.
IPsec troubleshooting
- For IPsec to work with Policy Enforcement Manager™ (PEM™), disable the DB variable.ipsec.lookupspi
Subscriber and policies active sessions
You can view session records based on subscriber ID or session IP. Policy Enforcement Manager contains the information presented in this table. You can
access this is in
Active Sessions
( ).Field |
Description |
---|---|
ID |
A unique identifier (up to 64 characters) for the subscriber initiating the session, such as a phone number. The subscriber ID type determines the format. |
ID type |
The format of the subscriber ID attribute. It can be E.164, IMSI, NAI, or Private
(RFC 4006). |
Subscriber Type |
Specifies a dynamically or statically subscriber. |
Calling Station |
Radius Attribute Value Pair (AVP) type 31 (3GPP TS 29.061 V9.6.0). |
Called Station |
Radius Attribute Value Pair (AVP) type 30 (3GPP TS 29.061 V9.6.0. |
Tower |
Specifies the cell tower where subscriber information goes through. |
User Name |
Displays the format name name@domain. |
IMSI |
International Mobile Subscriber Identity. A globally unique code number that
identifies a GSM, UMTS, or LTE mobile phone user. |
IMSEISV |
International Mobile Station Equipment Identity Software Version. A globally
unique code number that identifies a GSM, UMTS, LTE, or iDEN mobile phone. |
Predefined |
Specifies the predetermined policy(ies) assigned to the subscriber. |
Dynamic |
Specifies the dynamic PCC rule applied. |
Statistics |
Specifies active session statistical information that includes subscriber and
session IP identity attributes, assigned policy, and traffic flow information. |
Active sessions statistics
You can view subscriber uplink and downlink traffic information. Policy
Enforcement Manager contains the information presented in this table.
Field |
Description |
---|---|
Data Format |
Specifies how the system presents the statistics information. The default is
Normalized . |
Auto Refresh |
Automatically updates the screen information at the interval you specify. For
example, if you select 60 seconds from the list, the system
updates the displayed screen information every 60 seconds. The default is
Disabled . When you specify an automatic-refresh interval, the
system presents a Stop button for halting the operation,
and counts down the seconds to the next update. Select Disabled
to turn off automatic refreshing. |
Session IP |
Specifies the session IP address. The IP address is in
either IPv4 or IPv6 format. |
Subscriber ID |
Specifies a unique identifier subscriber ID. |
Uplink |
Specifies traffic volume from the subscriber to network. |
Downlink |
Specifies traffic volume from the network to subscriber. |
Current |
Specifies current number of flows. |
Maximum |
Specifies maximum number of open flows. |
Total |
Specifies accumulated number of flows ever opened by the subscriber. |
Configuring
subscriber activity log
You can configure the activity logs of the
selected subscribers by subscriber or session activity.
- On the Main tab, click.The Configuration screen opens.
- From theLog Publisherlist, select the log publisher that was created. You can create a log publisher in the system at .
- From theSubscriber Typelist, selectDynamic(for dynamic provisioning) orStatic(for static provisioning) subscriber.
- In theSubscriber IDfield, type a unique identifier (up to 64 characters) for the subscriber, such as IMSI .
- Using the Log Subscriber Activity setting, add each subscriber ID to the log settings.
- Type theSubscriber ID.
- ClickAdd.
- To configure settings of the activity logs by sessions, use the Log Session Activity setting to add each session IP to the log settings.
- Type theSession IPaddress.
- ClickAdd.
- ClickUpdate.Policy Enforcement Manager starts generating the subscriber activity logs for the configured subscribers.
You have configured the activity logs settings. Policy Enforcement Manager applies the
log settings you assigned and lists subscriber activity and session
information.