Manual Chapter : IPFIX Templates for CGNAT Events

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Analytics

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Link Controller

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP LTM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP PEM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP AFM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP DNS

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

IPFIX Templates for CGNAT Events

Overview: IPFIX logging templates

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX information elements (IEs) and templates used to log the F5 CGNAT events. An
IE
is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An
IPFIX template
is an ordered collection of specific IEs used to record one IP event, such as the establishment of an inbound NAT64 session.

IPFIX information elements for CGNAT events

Information elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single CGNAT event. These tables list all the IEs used in F5 CGNAT events, and differentiate IEs defined by IANA from IEs defined by F5 products.

IANA-defined IPFIX information elements

IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier. The F5 AFM DNS IPFIX implementation uses a subset of these IEs to publish AFM DNS events. This subset is summarized in the table.
Information Element (IE)
ID
Size (Bytes)
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
ingressVRFID
234
4
observationTimeMilliseconds
323
8
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2

IPFIX enterprise information elements

IPFIX provides for enterprises to define their own information elements (IEs). F5 currently uses the following non-standard IEs for AFM DNS events:
Information Element (IE)
ID
Size (Bytes)
action
12276 - 39
Variable
attackEvent
12276 - 41
Variable
attackId
12276 - 20
4
attackName
12276 - 21
Variable
bigipHostName
12276 - 10
Variable
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
deviceProduct
12276 - 12
Variable
deviceVendor
12276 - 11
Variable
deviceVersion
12276 - 13
Variable
dnsQueryType
12276 - 8
Variable
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
messageSeverity
12276 - 1
1
msgName
12276 - 14
Variable
packetsDropped
12276 - 23
4
packetsReceived
12276 - 22
4
partitionName
12276 - 2
Variable
queryName
12276 - 7
Variable
vlanName
12276 - 15
Variable
IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

Individual IPFIX templates for each event

These tables specify the IPFIX templates used by F5 to publish CGNAT Events.
Each template contains a
natEvent
information element (IE). This element is currently defined by IANA to contain values of 1 (Create Event), 2 (Delete Event) and 3 (Pool Exhausted). In the future, it is possible that IANA will standardize additional values to distinguish between NAT44 and NAT64 events, and to allow for additional types of NAT events. For example, the http://datatracker.ietf.org/doc/draft-ietf-behave-ipfix-nat-logging Internet Draft proposes additional values for this IE for such events.
F5 uses the standard Create and Delete
natEvent
values in its IPFIX Data Records, rather than new (non-standard) specific values for NAT44 Create, NAT64 Create, and so on.
You can infer the semantics of each template (for example, whether or not the template applies to NAT44 Create, NAT64 Create, or DS-Lite Create) from the template's contents rather than from distinct values in the natEvent IE.
F5 CGNAT might generate different variants of NAT Session Create/Delete events, to cater to customer requirements such as the need to publish destination address information, or to specifically omit such information. Each variant has a distinct template.
The “Pool Exhausted”
natEvent
value is insufficiently descriptive to cover the possible NAT failure cases. Therefore, pending future updates to the
natEvent
Information Element, F5 uses some non-standard values to cover the following cases:
  • 10 – Translation Failure
  • 11 – Session Quota Exceeded
  • 12 – Port Quota Exceeded
  • 13 - Port Block Allocated
  • 14 - Port Block Released
  • 15 - Port Block Allocation (PBA) Client Block Limit Exceeded
  • 16 - PBA Port Quota Exceeded
The following tables enumerate and define the IPFIX templates, and include the possible
natEvent
values for each template.

NAT44 session create – outbound variant

Description

This event is generated when a NAT44 client session is received from the subscriber side, and the LSN process successfully translates the source address/port.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
egressVRFID
235
4
The "LSN" routing-domain ID.
sourceIPv4Address
8
4
postNATSourceIPv4Address
225
4
protocolIdentifier
4
1
sourceTransportPort
7
2
postNAPTSourceTransportPort
227
2
destinationIPv4Address
12
4
0 (zero) if obscured.
destinationTransportPort
11
2
0 (zero) if obscured.
natOriginatingAddressRealm
229
1
1 (private/internal realm, subscriber side).
natEvent
230
1
1 (for Create event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).

NAT44 session delete – outbound variant

Description

This event is generated when a NAT44 client session is received from the subscriber side and the LSN process finishes the session.
By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following
tmsh
command:
modify sys db log.lsn.session.end value enable
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
egressVRFID
235
4
The "LSN" routing-domain ID.
sourceIPv4Address
8
4
postNATSourceIPv4Address
225
4
protocolIdentifier
4
1
sourceTransportPort
7
2
postNAPTSourceTransportPort
227
2
destinationIPv4Address
12
4
0 (zero) if obscured.
destinationTransportPort
11
2
0 (zero) if obscured.
natOriginatingAddressRealm
229
1
1 (private/internal realm, subscriber side).
natEvent
230
1
2 (for Delete event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds
161
4
Duration in ms.

NAT44 session create – inbound variant

Description

This event is generated when an inbound NAT44 client session is received from the internet side and connects to a client on the subscriber side.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "LSN" routing-domain ID.
egressVRFID
235
4
The "client" routing-domain ID.
sourceIPv4Address
8
4
protocolIdentifier
4
1
sourceTransportPort
7
2
destinationIPv4Address
12
4
postNATDestinationIPv4Address
226
4
destinationTransportPort
11
2
postNAPTDestinationTransportPort
228
2
natOriginatingAddressRealm
229
1
2 (public/external realm, Internet side).
natEvent
230
1
1 (for Create event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).

NAT44 session delete – inbound variant

Description

This event is generated when an inbound NAT44 client session is received from the internet side and connects to a client on the subscriber side. This event is the deletion of the inbound connection.
By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following
tmsh
command:
modify sys db log.lsn.session.end value enable
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "LSN" routing-domain ID.
egressVRFID
235
4
The "client" routing-domain ID.
sourceIPv4Address
8
4
protocolIdentifier
4
1
sourceTransportPort
7
2
destinationIPv4Address
12
4
postNATDestinationIPv4Address
226
4
destinationTransportPort
11
2
postNAPTDestinationTransportPort
228
2
natOriginatingAddressRealm
229
1
2 (public/external realm, Internet side).
natEvent
230
1
2 (for Delete event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds
161
4
Duration in ms.

NAT44 translation failed

Description

This event reports a NAT44 Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
sourceIPv4Address
8
4
protocolIdentifier
4
1
sourceTransportPort
7
2
destinationIPv4Address
12
4
0 (zero) if obscured.
destinationTransportPort
11
2
0 (zero) if obscured.
natEvent
230
1
10 for Transmission Failed.
natPoolName
284
Variable
This IE is omitted for NetFlow v9.

NAT44 quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT44 translation.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
sourceIPv4Address
8
4
natEvent
230
1
11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded.
natPoolName
284
Variable
This IE is omitted for NetFlow v9.

NAT44 port block allocated or released

Description

This event is generated when the BIG-IP software allocates or releases a block of ports for a NAT44 client. The event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it only issues an IPFIX log for every block of CGNAT translations. This reduces IPFIX traffic for CGNAT.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
egressVRFID
235
4
The egress routing-domain ID.
sourceIPv4Address
8
4
postNATSourceIPv4Address
225
4
portRangeStart
361
2
portRangeEnd
362
2
natEvent
230
1
13 for PBA, block Allocated, 14 for PBA, block released.

NAT64 session create – outbound variant

Description

This event is generated when a NAT64 client session is received from the subscriber side and the LSN process successfully translates the source address/port.
The
destinationIPv6Address
is not reported, since the
postNATdestinationIPv4Address
value is derived algorithmically from the IPv6 representation in
destinationIPv6Address
, as specified in RFC 6146 and RFC 6502.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
egressVRFID
235
4
The "LSN" routing-domain ID.
sourceIPv6Address
27
16
postNATSourceIPv4Address
225
4
protocolIdentifier
4
1
sourceTransportPort
7
2
postNAPTSourceTransportPort
227
2
postNATDestinationIPv4Address
226
4
0 (zero) if obscured.
destinationTransportPort
11
2
0 (zero) if obscured.
natOriginatingAddressRealm
229
1
1 (private/internal realm, subscriber side).
natEvent
230
1
1 (for Create event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).

NAT64 session delete – outbound variant

Description

This event is generated when a NAT64 client session is received from the subscriber side and the LSN process finishes the outbound session.
By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following
tmsh
command:
modify sys db log.lsn.session.end value enable
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
egressVRFID
235
4
The "LSN" routing-domain ID.
sourceIPv6Address
27
16
postNATSourceIPv4Address
225
4
protocolIdentifier
4
1
sourceTransportPort
7
2
postNAPTSourceTransportPort
227
2
postNATDestinationIPv4Address
226
4
0 (zero) if obscured.
destinationTransportPort
11
2
0 (zero) if obscured.
natOriginatingAddressRealm
229
1
1 (private/internal realm, subscriber side).
natEvent
230
1
2 (for Delete event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds
161
4
Duration in ms.

NAT64 session create – inbound variant

Description

This event is generated when a client session comes in from the internet side and successfully connects to a NAT64 client on the subscriber side.
postNATSourceIPv6Address
is not reported since this value can be derived algorithmically by appending the well-known NAT64 prefix
64:ff9b::
to
sourceIPv4Address
.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "LSN" routing-domain ID.
egressVRFID
235
4
The "client" routing-domain ID.
sourceIPv4Address
8
4
protocolIdentifier
4
1
sourceTransportPort
7
2
destinationIPv4Address
12
4
postNATDestinationIPv6Address
282
16
destinationTransportPort
11
2
postNAPTDestinationTransportPort
228
2
natOriginatingAddressRealm
229
1
2 (public/external realm, Internet side).
natEvent
230
1
1 (for Create event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).

NAT64 session delete – inbound variant

Description

This event is generated when a client session comes in from the internet side and successfully connects to a NAT64 client on the subscriber side. This event is the deletion of the inbound connection.
postNATSourceIPv6Address
is not reported since this value can be derived algorithmically from by appending the well-known NAT64 prefix 64:ff9b:: to
sourceIPv4Address
.
By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following
tmsh
command:
modify sys db log.lsn.session.end value enable
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "LSN" routing-domain ID.
egressVRFID
235
4
The "client" routing-domain ID.
sourceIPv4Address
8
4
protocolIdentifier
4
1
sourceTransportPort
7
2
destinationIPv4Address
12
4
postNATDestinationIPv6Address
282
16
destinationTransportPort
11
2
postNAPTDestinationTransportPort
228
2
natOriginatingAddressRealm
229
1
2 (public/external realm, Internet side).
natEvent
230
1
2 (for Delete event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds
161
4
Duration in ms.

NAT64 translation failed

Description

This event reports a NAT64 Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
sourceIPv6Address
27
16
protocolIdentifier
4
1
sourceTransportPort
7
2
destinationIPv4Address
12
4
0 (zero) if obscured.
destinationTransportPort
11
2
0 (zero) if obscured.
natEvent
230
1
10 for Transmission Failed.
natPoolName
284
Variable
This IE is omitted for NetFlow v9.

NAT64 quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT64 translation.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
sourceIPv6Address
27
16
natEvent
230
1
11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded.
natPoolName
284
Variable
This IE is omitted for NetFlow v9.

NAT64 port block allocated or released

Description

This event is generated when the BIG-IP software allocates or releases a block of ports for a NAT64 client. The event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it only issues an IPFIX log for every block of CGNAT translations. This reduces IPFIX traffic for CGNAT.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
egressVRFID
235
4
The egress routing-domain ID.
sourceIPv6Address
27
16
postNATSourceIPv4Address
225
4
portRangeStart
361
2
portRangeEnd
362
2
natEvent
230
1
13 for PBA, block Allocated, 14 for PBA, block released.

DS-Lite session create – outbound variant

Description

This event is generated when a DS-Lite client session is received on the subscriber side and the LSN process successfully translates the source address/port. The client's DS-Lite IPv6 remote endpoint address is reported using IE
lsnDsLiteRemoteV6asSource
.
The
sourceIPv6Address
stores different information in this template from the equivalent NAT64 template. In the NAT64 create and delete templates,
sourceIPv6Address
holds the client's IPv6 address. In this DS-Lite template, it holds the remote endpoint address of the DS-Lite tunnel.
The VRFID (or routing domain ID) for the DS-Lite tunnel is not currently provided; this attribute might be added in the future.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
egressVRFID
235
4
The "LSN" routing-domain ID.
sourceIPv4Address
8
4
postNATSourceIPv4Address
225
4
protocolIdentifier
4
1
sourceTransportPort
7
2
postNAPTSourceTransportPort
227
2
sourceIPv6Address
27
16
DS-Lite remote endpoint IPv6 address.
destinationIPv4Address
12
4
0 (zero) if obscured.
destinationTransportPort
11
2
0 (zero) if obscured.
natOriginatingAddressRealm
229
1
1 (private/internal realm, subscriber side).
natEvent
230
1
1 (for Create event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).

DS-Lite session delete – outbound variant

Description

This event is generated when a DS-Lite client session is received from the subscriber side and the LSN process finishes with the outbound session.
The
sourceIPv6Address
stores different information in this template from the equivalent NAT64 template. In the NAT64 create and delete templates,
sourceIPv6Address
holds the client's IPv6 address. In this DS-Lite template, it holds the remote endpoint address of the DS-Lite tunnel.
The VRFID (or routing domain ID) for the DS-Lite tunnel is not currently provided; this attribute may be added in the future.
By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following
tmsh
command:
modify sys db log.lsn.session.end value enable
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
egressVRFID
235
4
The "LSN" routing-domain ID.
sourceIPv4Address
8
4
postNATSourceIPv4Address
225
4
protocolIdentifier
4
1
sourceTransportPort
7
2
postNAPTSourceTransportPort
227
2
sourceIPv6Address
27
16
DS-Lite remote endpoint IPv6 address.
destinationIPv4Address
12
4
0 (zero) if obscured.
destinationTransportPort
11
2
0 (zero) if obscured.
natOriginatingAddressRealm
229
1
1 (private/internal realm, subscriber side).
natEvent
230
1
2 (for Delete event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds
161
4
Duration in ms.

DS-Lite session create – inbound variant

Description

This event is generated when an inbound client session comes in from the internet side and connects to a DS-Lite client on the subscriber side.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "LSN" routing-domain ID.
egressVRFID
235
4
The "client" routing-domain ID.
sourceIPv4Address
8
4
protocolIdentifier
4
1
sourceTransportPort
7
2
destinationIPv4Address
12
4
postNATDestinationIPv6Address
282
16
DS-Lite remote endpoint IPv6 address.
postNATDestinationIPv4Address
226
4
destinationTransportPort
11
2
postNAPTDestinationTransportPort
228
2
natOriginatingAddressRealm
229
1
2 (public/external realm, Internet side).
natEvent
230
1
1 (for Create event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).

DS-Lite session delete – inbound variant

Description

This event is generated when an inbound client session comes in from the internet side and connects to a DS-Lite client on the subscriber side. This event marks the end of the inbound connection, when the connection is deleted.
By default, the BIG-IP system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following
tmsh
command:
modify sys db log.lsn.session.end value enable
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "LSN" routing-domain ID.
egressVRFID
235
4
The "client" routing-domain ID.
sourceIPv4Address
8
4
protocolIdentifier
4
1
sourceTransportPort
7
2
destinationIPv4Address
12
4
postNATDestinationIPv6Address
282
16
postNATDestinationIPv4Address
226
4
destinationTransportPort
11
2
postNAPTDestinationTransportPort
228
2
natOriginatingAddressRealm
229
1
2 (public/external realm, Internet side).
natEvent
230
1
2 (for Delete event).
flowStartMilliseconds
152
8
Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds
161
4
Duration in ms.

DS-Lite translation failed

Description

This event reports a DS-Lite Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
sourceIPv4Address
8
4
IPv4 address used by F5 CGNAT in the IPv4-mapped IPv6 format, for the DS-Lite tunnel terminated on the BIG-IP.
protocolIdentifier
4
1
sourceTransportPort
7
2
sourceIPv6Address
27
16
IPv6 address for remote endpoint of the DS-Lite tunnel.
destinationIPv4Address
12
4
0 (zero) if obscured.
destinationTransportPort
11
2
0 (zero) if obscured.
natEvent
230
1
10 for Transmission Failed.
natPoolName
284
Variable
This IE is omitted for NetFlow v9.

DS-Lite quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT translation in a DS-Lite context.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
sourceIPv4Address
8
4
sourceIPv6Address
27
16
DS-Lite remote endpoint IPv6 address.
natEvent
230
1
11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded.
natPoolName
284
Variable
This IE is omitted for NetFlow v9.

DS-Lite port block allocated or released

Description

This event is generated when the BIG-IP software allocates or releases a block of ports for a DS-Lite client. This event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it issues an IPFIX log for every block of CGNAT translations rather than each individual translation. This reduces IPFIX traffic for CGNAT.
Information Element (IE)
ID
Size (Bytes)
Notes
observationTimeMilliseconds
323
8
ingressVRFID
234
4
The "client" routing-domain ID.
egressVRFID
235
4
The egress routing-domain ID.
sourceIPv6Address
27
16
postNATSourceIPv4Address
225
4
portRangeStart
361
2
portRangeEnd
362
2
natEvent
230
1
13 for PBA, block Allocated, 14 for PBA, block released.