Manual Chapter :
IPFIX Templates for CGNAT Events
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Analytics
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Link Controller
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP LTM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP PEM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP AFM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP DNS
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
IPFIX Templates for CGNAT Events
Overview: IPFIX logging templates
The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This
appendix defines the IPFIX information elements (IEs) and templates used to log the F5 CGNAT
events. An
IE
is the smallest form of useful information in an IPFIX log message,
such as an IP address or a timestamp for the event. An IPFIX template
is an ordered
collection of specific IEs used to record one IP event, such as the establishment of an inbound
NAT64 session.IPFIX information elements for CGNAT events
Information elements (IEs) are individual fields in an IPFIX template. An IPFIX template
describes a single CGNAT event. These tables list all the IEs used in F5
CGNAT events, and differentiate IEs defined by IANA from IEs defined
by F5 products.
IANA-defined IPFIX
information elements
IANA maintains a list of standard IPFIX information elements (IEs), each
with a unique element identifier. The F5 AFM DNS IPFIX implementation uses a subset of these
IEs to publish AFM DNS events. This subset is summarized in the table.
Information Element (IE) |
ID |
Size (Bytes) |
---|---|---|
destinationIPv4Address |
12 |
4 |
destinationIPv6Address |
28 |
16 |
destinationTransportPort |
11 |
2 |
ingressVRFID |
234 |
4 |
observationTimeMilliseconds |
323 |
8 |
sourceIPv4Address |
8 |
4 |
sourceIPv6Address |
27 |
16 |
sourceTransportPort |
7 |
2 |
IPFIX enterprise
information elements
IPFIX provides for enterprises to define their own information elements
(IEs). F5 currently uses the following non-standard IEs for AFM DNS events:
Information Element (IE) |
ID |
Size (Bytes) |
---|---|---|
action |
12276 - 39 |
Variable |
attackEvent |
12276 - 41 |
Variable |
attackId |
12276 - 20 |
4 |
attackName |
12276 - 21 |
Variable |
bigipHostName |
12276 - 10 |
Variable |
bigipMgmtIPv4Address |
12276 - 5 |
4 |
bigipMgmtIPv6Address |
12276 - 6 |
16 |
contextName |
12276 - 9 |
Variable |
deviceProduct |
12276 - 12 |
Variable |
deviceVendor |
12276 - 11 |
Variable |
deviceVersion |
12276 - 13 |
Variable |
dnsQueryType |
12276 - 8 |
Variable |
errdefsMsgNo |
12276 - 4 |
4 |
flowId |
12276 - 3 |
8 |
ipfixMsgNo |
12276 - 16 |
4 |
messageSeverity |
12276 - 1 |
1 |
msgName |
12276 - 14 |
Variable |
packetsDropped |
12276 - 23 |
4 |
packetsReceived |
12276 - 22 |
4 |
partitionName |
12276 - 2 |
Variable |
queryName |
12276 - 7 |
Variable |
vlanName |
12276 - 15 |
Variable |
IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded
within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot
correctly process variable-length IEs, so they are omitted from logs sent to those collector
types.
Individual IPFIX templates for each event
These tables specify the IPFIX templates used by F5 to publish CGNAT Events.
Each template contains a
natEvent
information element (IE). This element is
currently defined by IANA to contain values of 1 (Create Event), 2 (Delete Event) and 3
(Pool Exhausted). In the future, it is possible that IANA will standardize additional
values to distinguish between NAT44 and NAT64 events, and to allow for additional types
of NAT events. For example, the http://datatracker.ietf.org/doc/draft-ietf-behave-ipfix-nat-logging Internet
Draft proposes additional values for this IE for such events.F5 uses the standard Create and Delete
natEvent
values in its IPFIX Data
Records, rather than new (non-standard) specific values for NAT44 Create, NAT64 Create,
and so on.You can infer the semantics of each template (for example, whether or not the template
applies to NAT44 Create, NAT64 Create, or DS-Lite Create) from the template's contents
rather than from distinct values in the natEvent IE.
F5 CGNAT might generate different variants of NAT Session Create/Delete events, to cater
to customer requirements such as the need to publish destination address information, or
to specifically omit such information. Each variant has a distinct template.
The “Pool Exhausted”
natEvent
value is insufficiently descriptive to cover
the possible NAT failure cases. Therefore, pending future updates to the
natEvent
Information Element, F5 uses some non-standard values to cover
the following cases: - 10 – Translation Failure
- 11 – Session Quota Exceeded
- 12 – Port Quota Exceeded
- 13 - Port Block Allocated
- 14 - Port Block Released
- 15 - Port Block Allocation (PBA) Client Block Limit Exceeded
- 16 - PBA Port Quota Exceeded
The following tables enumerate and define the IPFIX templates, and include the possible
natEvent
values for each template.NAT44 session create – outbound variant
Description
This event is generated when a NAT44 client session is received from the subscriber side,
and the LSN process successfully translates the source address/port.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
egressVRFID |
235 |
4 |
The "LSN" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
postNATSourceIPv4Address |
225 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
postNAPTSourceTransportPort |
227 |
2 |
|
destinationIPv4Address |
12 |
4 |
0 (zero) if obscured. |
destinationTransportPort |
11 |
2 |
0 (zero) if obscured. |
natOriginatingAddressRealm |
229 |
1 |
1 (private/internal realm, subscriber side). |
natEvent |
230 |
1 |
1 (for Create event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
NAT44 session delete – outbound variant
Description
This event is generated when a NAT44 client session is received from the subscriber side
and the LSN process finishes the session.
By default, the BIG-IP system does not record "delete session" events like
this one. This default exists to improve performance, but it prevents the system from ever
sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs
matching this template, use the following
tmsh
command:modify sys db log.lsn.session.end value enable
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
egressVRFID |
235 |
4 |
The "LSN" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
postNATSourceIPv4Address |
225 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
postNAPTSourceTransportPort |
227 |
2 |
|
destinationIPv4Address |
12 |
4 |
0 (zero) if obscured. |
destinationTransportPort |
11 |
2 |
0 (zero) if obscured. |
natOriginatingAddressRealm |
229 |
1 |
1 (private/internal realm, subscriber side). |
natEvent |
230 |
1 |
2 (for Delete event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
flowDurationMilliseconds |
161 |
4 |
Duration in ms. |
NAT44 session create – inbound variant
Description
This event is generated when an inbound NAT44 client session is received from the internet
side and connects to a client on the subscriber side.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "LSN" routing-domain ID. |
egressVRFID |
235 |
4 |
The "client" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
destinationIPv4Address |
12 |
4 |
|
postNATDestinationIPv4Address |
226 |
4 |
|
destinationTransportPort |
11 |
2 |
|
postNAPTDestinationTransportPort |
228 |
2 |
|
natOriginatingAddressRealm |
229 |
1 |
2 (public/external realm, Internet side). |
natEvent |
230 |
1 |
1 (for Create event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
NAT44 session delete – inbound variant
Description
This event is generated when an inbound NAT44 client session is received from the internet
side and connects to a client on the subscriber side. This event is the deletion
of the inbound connection.
By default, the BIG-IP system does not record "delete session" events like
this one. This default exists to improve performance, but it prevents the system from ever
sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs
matching this template, use the following
tmsh
command:modify sys db log.lsn.session.end value enable
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "LSN" routing-domain ID. |
egressVRFID |
235 |
4 |
The "client" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
destinationIPv4Address |
12 |
4 |
|
postNATDestinationIPv4Address |
226 |
4 |
|
destinationTransportPort |
11 |
2 |
|
postNAPTDestinationTransportPort |
228 |
2 |
|
natOriginatingAddressRealm |
229 |
1 |
2 (public/external realm, Internet side). |
natEvent |
230 |
1 |
2 (for Delete event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
flowDurationMilliseconds |
161 |
4 |
Duration in ms. |
NAT44 translation failed
Description
This event reports a NAT44 Translation Failure. The failure does not necessarily mean that
all addresses or ports in the translation pool are already in use; the implementation may
not be able to find a valid translation within the allowed time constraints or number of
lookup attempts, as may happen if the pool has become highly fragmented.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
destinationIPv4Address |
12 |
4 |
0 (zero) if obscured. |
destinationTransportPort |
11 |
2 |
0 (zero) if obscured. |
natEvent |
230 |
1 |
10 for Transmission Failed. |
natPoolName |
284 |
Variable |
This IE is omitted for NetFlow v9. |
NAT44 quota exceeded
Description
This event is generated when an administratively configured policy prevents a successful
NAT44 translation.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
natEvent |
230 |
1 |
11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded. |
natPoolName |
284 |
Variable |
This IE is omitted for NetFlow v9. |
NAT44 port block allocated or released
Description
This event is generated when the BIG-IP software allocates or releases a block of ports for
a NAT44 client. The event only occurs when port-block allocation (PBA) is configured for the
LSN pool. When an LSN pool uses PBA, it only issues an IPFIX log for every block of CGNAT
translations. This reduces IPFIX traffic for CGNAT.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
egressVRFID |
235 |
4 |
The egress routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
postNATSourceIPv4Address |
225 |
4 |
|
portRangeStart |
361 |
2 |
|
portRangeEnd |
362 |
2 |
|
natEvent |
230 |
1 |
13 for PBA, block Allocated, 14 for PBA, block released. |
NAT64 session create – outbound variant
Description
This event is generated when a NAT64 client session is received from the subscriber side
and the LSN process successfully translates the source address/port.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
egressVRFID |
235 |
4 |
The "LSN" routing-domain ID. |
sourceIPv6Address |
27 |
16 |
|
postNATSourceIPv4Address |
225 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
postNAPTSourceTransportPort |
227 |
2 |
|
postNATDestinationIPv4Address |
226 |
4 |
0 (zero) if obscured. |
destinationTransportPort |
11 |
2 |
0 (zero) if obscured. |
natOriginatingAddressRealm |
229 |
1 |
1 (private/internal realm, subscriber side). |
natEvent |
230 |
1 |
1 (for Create event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
NAT64 session delete – outbound variant
Description
This event is generated when a NAT64 client session is received from the subscriber side
and the LSN process finishes the outbound session.
By default, the BIG-IP system does not record "delete session" events like
this one. This default exists to improve performance, but it prevents the system from ever
sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs
matching this template, use the following
tmsh
command:modify sys db log.lsn.session.end value enable
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
egressVRFID |
235 |
4 |
The "LSN" routing-domain ID. |
sourceIPv6Address |
27 |
16 |
|
postNATSourceIPv4Address |
225 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
postNAPTSourceTransportPort |
227 |
2 |
|
postNATDestinationIPv4Address |
226 |
4 |
0 (zero) if obscured. |
destinationTransportPort |
11 |
2 |
0 (zero) if obscured. |
natOriginatingAddressRealm |
229 |
1 |
1 (private/internal realm, subscriber side). |
natEvent |
230 |
1 |
2 (for Delete event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
flowDurationMilliseconds |
161 |
4 |
Duration in ms. |
NAT64 session create – inbound variant
Description
This event is generated when a client session comes in from the internet side and
successfully connects to a NAT64 client on the subscriber side.
postNATSourceIPv6Address
is not reported since this value can be derived
algorithmically by appending the well-known NAT64 prefix 64:ff9b::
to
sourceIPv4Address
.Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "LSN" routing-domain ID. |
egressVRFID |
235 |
4 |
The "client" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
destinationIPv4Address |
12 |
4 |
|
postNATDestinationIPv6Address |
282 |
16 |
|
destinationTransportPort |
11 |
2 |
|
postNAPTDestinationTransportPort |
228 |
2 |
|
natOriginatingAddressRealm |
229 |
1 |
2 (public/external realm, Internet side). |
natEvent |
230 |
1 |
1 (for Create event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
NAT64 session delete – inbound variant
Description
This event is generated when a client session comes in from the internet side and
successfully connects to a NAT64 client on the subscriber side. This event is
the deletion of the inbound connection.
postNATSourceIPv6Address
is not reported since this value can be
derived algorithmically from by appending the well-known NAT64 prefix 64:ff9b:: to
sourceIPv4Address
.By default, the BIG-IP system does not record "delete session" events like
this one. This default exists to improve performance, but it prevents the system from ever
sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs
matching this template, use the following
tmsh
command:modify sys db log.lsn.session.end value enable
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "LSN" routing-domain ID. |
egressVRFID |
235 |
4 |
The "client" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
destinationIPv4Address |
12 |
4 |
|
postNATDestinationIPv6Address |
282 |
16 |
|
destinationTransportPort |
11 |
2 |
|
postNAPTDestinationTransportPort |
228 |
2 |
|
natOriginatingAddressRealm |
229 |
1 |
2 (public/external realm, Internet side). |
natEvent |
230 |
1 |
2 (for Delete event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
flowDurationMilliseconds |
161 |
4 |
Duration in ms. |
NAT64 translation failed
Description
This event reports a NAT64 Translation Failure. The failure does not necessarily mean that
all addresses or ports in the translation pool are already in use; the implementation may
not be able to find a valid translation within the allowed time constraints or number of
lookup attempts, as may happen if the pool has become highly fragmented.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
sourceIPv6Address |
27 |
16 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
destinationIPv4Address |
12 |
4 |
0 (zero) if obscured. |
destinationTransportPort |
11 |
2 |
0 (zero) if obscured. |
natEvent |
230 |
1 |
10 for Transmission Failed. |
natPoolName |
284 |
Variable |
This IE is omitted for NetFlow v9. |
NAT64 quota exceeded
Description
This event is generated when an administratively configured policy prevents a successful
NAT64 translation.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
sourceIPv6Address |
27 |
16 |
|
natEvent |
230 |
1 |
11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded. |
natPoolName |
284 |
Variable |
This IE is omitted for NetFlow v9. |
NAT64 port block allocated or released
Description
This event is generated when the BIG-IP software allocates or releases a block of ports for
a NAT64 client. The event only occurs when port-block allocation (PBA) is configured for the
LSN pool. When an LSN pool uses PBA, it only issues an IPFIX log for every block of CGNAT
translations. This reduces IPFIX traffic for CGNAT.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
egressVRFID |
235 |
4 |
The egress routing-domain ID. |
sourceIPv6Address |
27 |
16 |
|
postNATSourceIPv4Address |
225 |
4 |
|
portRangeStart |
361 |
2 |
|
portRangeEnd |
362 |
2 |
|
natEvent |
230 |
1 |
13 for PBA, block Allocated, 14 for PBA, block released. |
DS-Lite session create – outbound variant
Description
This event is generated when a DS-Lite client session is received on the subscriber side
and the LSN process successfully translates the source address/port. The client's DS-Lite
IPv6 remote endpoint address is reported using IE
lsnDsLiteRemoteV6asSource
.The
sourceIPv6Address
stores different information in this template
from the equivalent NAT64 template. In the NAT64 create and delete templates,
sourceIPv6Address
holds the client's IPv6 address. In this DS-Lite template,
it holds the remote endpoint address of the DS-Lite tunnel.The VRFID (or routing domain
ID) for the DS-Lite tunnel is not currently provided; this attribute might be added in the
future.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
egressVRFID |
235 |
4 |
The "LSN" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
postNATSourceIPv4Address |
225 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
postNAPTSourceTransportPort |
227 |
2 |
|
sourceIPv6Address |
27 |
16 |
DS-Lite remote endpoint IPv6 address. |
destinationIPv4Address |
12 |
4 |
0 (zero) if obscured. |
destinationTransportPort |
11 |
2 |
0 (zero) if obscured. |
natOriginatingAddressRealm |
229 |
1 |
1 (private/internal realm, subscriber side). |
natEvent |
230 |
1 |
1 (for Create event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
DS-Lite session delete – outbound variant
Description
This event is generated when a DS-Lite client session is received from the subscriber side
and the LSN process finishes with the outbound session.
The
sourceIPv6Address
stores different information in this template
from the equivalent NAT64 template. In the NAT64 create and delete templates,
sourceIPv6Address
holds the client's IPv6 address. In this DS-Lite template,
it holds the remote endpoint address of the DS-Lite tunnel.The VRFID (or routing domain ID) for the DS-Lite tunnel is not currently provided; this
attribute may be added in the future.
By default, the BIG-IP system does not record "delete session" events like
this one. This default exists to improve performance, but it prevents the system from ever
sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs
matching this template, use the following
tmsh
command:modify sys db log.lsn.session.end value enable
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
egressVRFID |
235 |
4 |
The "LSN" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
postNATSourceIPv4Address |
225 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
postNAPTSourceTransportPort |
227 |
2 |
|
sourceIPv6Address |
27 |
16 |
DS-Lite remote endpoint IPv6 address. |
destinationIPv4Address |
12 |
4 |
0 (zero) if obscured. |
destinationTransportPort |
11 |
2 |
0 (zero) if obscured. |
natOriginatingAddressRealm |
229 |
1 |
1 (private/internal realm, subscriber side). |
natEvent |
230 |
1 |
2 (for Delete event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
flowDurationMilliseconds |
161 |
4 |
Duration in ms. |
DS-Lite session create – inbound variant
Description
This event is generated when an inbound client session comes in from the internet side and
connects to a DS-Lite client on the subscriber side.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "LSN" routing-domain ID. |
egressVRFID |
235 |
4 |
The "client" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
destinationIPv4Address |
12 |
4 |
|
postNATDestinationIPv6Address |
282 |
16 |
DS-Lite remote endpoint IPv6 address. |
postNATDestinationIPv4Address |
226 |
4 |
|
destinationTransportPort |
11 |
2 |
|
postNAPTDestinationTransportPort |
228 |
2 |
|
natOriginatingAddressRealm |
229 |
1 |
2 (public/external realm, Internet side). |
natEvent |
230 |
1 |
1 (for Create event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
DS-Lite session delete – inbound variant
Description
This event is generated when an inbound client session comes in from the internet side and
connects to a DS-Lite client on the subscriber side. This event marks the end of the
inbound connection, when the connection is deleted.
By default, the BIG-IP system does not record "delete session" events like
this one. This default exists to improve performance, but it prevents the system from ever
sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs
matching this template, use the following
tmsh
command:modify sys db log.lsn.session.end value enable
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "LSN" routing-domain ID. |
egressVRFID |
235 |
4 |
The "client" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
destinationIPv4Address |
12 |
4 |
|
postNATDestinationIPv6Address |
282 |
16 |
|
postNATDestinationIPv4Address |
226 |
4 |
|
destinationTransportPort |
11 |
2 |
|
postNAPTDestinationTransportPort |
228 |
2 |
|
natOriginatingAddressRealm |
229 |
1 |
2 (public/external realm, Internet side). |
natEvent |
230 |
1 |
2 (for Delete event). |
flowStartMilliseconds |
152 |
8 |
Start time, in ms since Epoch (1/1/1970). |
flowDurationMilliseconds |
161 |
4 |
Duration in ms. |
DS-Lite translation failed
Description
This event reports a DS-Lite Translation Failure. The failure does not necessarily mean
that all addresses or ports in the translation pool are already in use; the implementation
may not be able to find a valid translation within the allowed time constraints or number of
lookup attempts, as may happen if the pool has become highly fragmented.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
IPv4 address used by F5 CGNAT in the IPv4-mapped IPv6 format, for the DS-Lite tunnel terminated on the BIG-IP. |
protocolIdentifier |
4 |
1 |
|
sourceTransportPort |
7 |
2 |
|
sourceIPv6Address |
27 |
16 |
IPv6 address for remote endpoint of the DS-Lite tunnel. |
destinationIPv4Address |
12 |
4 |
0 (zero) if obscured. |
destinationTransportPort |
11 |
2 |
0 (zero) if obscured. |
natEvent |
230 |
1 |
10 for Transmission Failed. |
natPoolName |
284 |
Variable |
This IE is omitted for NetFlow v9. |
DS-Lite quota exceeded
Description
This event is generated when an administratively configured policy prevents a successful
NAT translation in a DS-Lite context.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
sourceIPv4Address |
8 |
4 |
|
sourceIPv6Address |
27 |
16 |
DS-Lite remote endpoint IPv6 address. |
natEvent |
230 |
1 |
11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded. |
natPoolName |
284 |
Variable |
This IE is omitted for NetFlow v9. |
DS-Lite port block allocated or released
Description
This event is generated when the BIG-IP software allocates or releases a block of ports for
a DS-Lite client. This event only occurs when port-block allocation (PBA) is configured for
the LSN pool. When an LSN pool uses PBA, it issues an IPFIX log for every block of CGNAT
translations rather than each individual translation. This reduces IPFIX traffic for
CGNAT.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
---|---|---|---|
observationTimeMilliseconds |
323 |
8 |
|
ingressVRFID |
234 |
4 |
The "client" routing-domain ID. |
egressVRFID |
235 |
4 |
The egress routing-domain ID. |
sourceIPv6Address |
27 |
16 |
|
postNATSourceIPv4Address |
225 |
4 |
|
portRangeStart |
361 |
2 |
|
portRangeEnd |
362 |
2 |
|
natEvent |
230 |
1 |
13 for PBA, block Allocated, 14 for PBA, block released. |