Applies To:Show Versions
- 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0
Follow these general troubleshooting suggestions when using Policy Enforcement Manager™ (PEM™):
- If enforcement policies are not enforced as expected, on the VLAN screen for all VLANs set up to receive incoming subscriber traffic, verify that you set CMP Hash to Source Address.
- If static subscriber policies are not enforced as expected, verify whether you enforced any global, high precedence policies with conflicting actions.
- When sending traffic without RADIUS, the unknown subscriber policy (if specified) is assigned
to the first flows from dynamic or static subscribers. Subscriber policies are applied to
subsequent flows. Note: An unknown subscriber policy needs to be specified, if there is at least one dynamically provisioned subscriber.
- Policy changes are applied to new and existing flows within a reasonable time.
- For applications with connections initiated from the Internet (FTP, RTSP, TFTP), the BIG-IP® system needs to have CMP Hash set to Destination Address on the Internet VLAN. In this case, the end-to-end IP addresses have to be preserved; therefore, SNAT should be disabled on all the virtual servers that the applications will use.
- When importing static subscribers, the file is uploaded in chunks of 1000 subscribers. The system performs a validation check on each chunk. If a validation fails, the subscribers in the current chunk and subsequent chunks are not imported. However, the subscribers loaded in previous chunks are imported onto the system.
- In case of service chains (w-steering), set CMP Hash to Source Address on all the VLANs for which the w-steering action is to be applied.
- For response-side classification, steering, w-steering, and cloning actions are applied after the results (based on destination IP address and port) are cached in the classification database (srdb). Actions are not applied for the first six flows, by default. (This behavior is configurable by the DB variable tmm.pem.srdb.entry.step .)
- If static subscribers are not working as expected with RADIUS, check whether you selected the same Subscriber ID Type in the radiusLB profile ( ) as that assigned when creating the static subscriber. (IMSI in the static subscriber corresponds to 3GPP IMSI in the RADIUS profile; E164 to Calling Station ID, and NAI to User Name.)
- The RADIUS message also needs to specify the same Subscriber ID Type as the RADIUS profile. So make sure that if you select IMSI, the IMSI number exists in the RADIUS message. This also applies to the user-name for NAI, and calling station-id for E164.
Gx interface to PCRF troubleshooting
- If you change the IP address of the Gx server in the listener, the change takes effect after you restart TMM using the command: bigstart restart tmm.
- For Gx usage monitoring, the threshold is defined on the Policy and Charging Rules Function (PCRF).
Bandwidth control with PEM troubleshooting
- Do not use dynamic bandwidth control policies in preconfigured enforcement policies (either global or subscriber) when the bit rate is managed by the PCRF through PCC dynamic rules.
- Do not use dynamic bandwidth control policies in global enforcement policies if they are also used in subscriber policies.
- For bandwidth controller to work with PCRF, you need to create a default dynamic bandwidth
controller with the name dynamic_spm_bwc_policy, with eight categories
named cat1 to cat8 (all set to 100 percent). You
must choose a proper max-rate value for this bandwidth controller (typically, close to network
capacity dedicated to subscriber traffic). Important: This bandwidth controller is intended for internal usage only and should not be used for other purposes.
Active sessions troubleshooting (retrieving subscriber data or BIG-IP system information)
- When the BIG-IP system receives policy information from the PCRF for a subscriber, you can verify the active policies on the subscriber session, the subscriber type (static or dynamic) and view subscriber statistics by checking Active Sessions ( ).
- If you have a static subscriber without an IP address, no active session is created. The incoming RADIUS message has the IP information for the static subscriber and a session is created based on this. When the radius message arrives, verify both the new session and policy attached to the session.
- You can view subscriber information with multiple IP addreses. Static subscribers can have more than two IP addresses of either IPv4 or IPv6 and up to a maximum of 16. Dynamic subscribers can have one IPv4 IP address and one IPv6 IP address.
- If your subscriber type is dynamically provisioned, then your assigned policy can be based on a predefined PCC rule or dynamic PCC rule.
- For information about uplink and downlink traffic (byte count and flows), check ( ).
- You can auto-refresh the subscriber session information for 10 to 300 seconds.
- There is a hold time for new subscriber sessions. To change the provisioning hold time, you can use the sys db variable key: tmm.pem.session.ip-addr.max.
- While running the script, if the BIG-IP system receives an error, ignore the error and implement the next custom action script. Although this is the default behaviour, it is possible to change it with the sys db variable key: pem.tcl.action.error.abort.
- If policy priority, event priority, and the rule precedence is the same, then there is no guarantee of order of execution.
- You can use iRule commands to set accounting report interval, but set the accounting interval larger than the BIG-IP interval configuration for the accounting report interval to be effective.
- For IPsec to work with Policy Enforcement Manager™ (PEM™), disable the DB variable ipsec.lookupspi .
Subscriber and policies active sessions
You can view session records based on subscriber ID or session IP. Policy Enforcement Manager™ contains the information presented in this table. You can access this is in Active Sessions ( ).
|ID||A unique identifier (up to 64 characters) for the subscriber initiating the session, such as a phone number. The subscriber ID type determines the format.|
|ID type||The format of the subscriber ID attribute. It can be E.164, IMSI, NAI, or Private (RFC 4006).|
|Subscriber Type||Specifies a dynamically or statically subscriber.|
|Calling Station||Radius Attribute Value Pair (AVP) type 31 (3GPP TS 29.061 V9.6.0).|
|Called Station||Radius Attribute Value Pair (AVP) type 30 (3GPP TS 29.061 V9.6.0.|
|Tower||Specifies the cell tower where subscriber information goes through.|
|User Name||Displays the format name name@domain.|
|IMSI||International Mobile Subscriber Identity. A globally unique code number that identifies a GSM, UMTS, or LTE mobile phone user.|
|IMSEISV||International Mobile Station Equipment Identity Software Version. A globally unique code number that identifies a GSM, UMTS, LTE, or iDEN mobile phone.|
|Predefined||Specifies the predetermined policy(ies) assigned to the subscriber.|
|Dynamic||Specifies the dynamic PCC rule applied.|
|Statistics||Specifies active session statistical information that includes subscriber and session IP identity attributes, assigned policy, and traffic flow information.|
Active sessions statistics
You can view subscriber uplink and downlink traffic information. Policy Enforcement Manager™ contains the information presented in this table.
|Data Format||Specifies how the system presents the statistics information. The default is Normalized.|
|Auto Refresh||Automatically updates the screen information at the interval you specify. For example, if you select 60 seconds from the list, the system updates the displayed screen information every 60 seconds. The default is Disabled. When you specify an automatic-refresh interval, the system presents a Stop button for halting the operation, and counts down the seconds to the next update. Select Disabled to turn off automatic refreshing.|
|Session IP||Specifies the session IP address. The IP address is in either IPv4 or IPv6 format.|
|Subscriber ID||Specifies a unique identifier subscriber ID.|
|Uplink||Specifies traffic volume from the subscriber to network.|
|Downlink||Specifies traffic volume from the network to subscriber.|
|Current||Specifies current number of flows.|
|Maximum||Specifies maximum number of open flows.|
|Total||Specifies accumulated number of flows ever opened by the subscriber.|
Configuring subscriber activity log
On the Main tab, click
.The Configuration screen opens.
- From the Log Publisher list, select the log publisher that was created. You can create a log publisher in the system at .
- From the Subscriber Type list, select Dynamic (for dynamic provisioning) or Static (for static provisioning) subscriber.
- In the Subscriber ID field, type a unique identifier (up to 64 characters) for the subscriber, such as IMSI .
Using the Log Subscriber Activity setting, add each subscriber ID to the log
- Type the Subscriber ID.
- Click Add.
To configure settings of the activity logs by sessions, use the Log Session
Activity setting to add each session IP to the log settings.
- Type the Session IP address.
- Click Add.
Policy Enforcement Manager™ starts generating the subscriber activity logs for the configured subscribers.