Applies To:
Show Versions
BIG-IP AAM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP Link Controller
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP Analytics
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP LTM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP PEM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Overview: IPFIX logging templates
The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX information elements (IEs) and templates used to log the F5 CGNAT events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the establishment of an inbound NAT64 session.
IPFIX information elements for CGNAT events
Information elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single CGNAT event. These tables list all the IEs used in F5 CGNAT events, and differentiate IEs defined by IANA from IEs defined by F5 products.
IANA-Defined IPFIX information elements
Information Elements
IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier, at http://www.iana.org/assignments/ipfix/ipfix.xml. The F5 CGNAT implementation uses a subset of these IEs to publish CGNAT events. This subset is summarized in the table below. Please refer to the IANA site for the official description of each field.
| Information Element (IE) | ID | Size (Bytes) |
|---|---|---|
| destinationIPv4Address | 12 | 4 |
| destinationTransportPort | 11 | 2 |
| egressVRFID | 235 | 4 |
| flowDurationMilliseconds | 161 | 4 |
| flowStartMilliseconds | 152 | 8 |
| ingressVRFID | 234 | 4 |
| natEvent | 230 | 1 |
| natOriginatingAddressRealm | 229 | 1 |
| natPoolName | 284 | Variable |
| observationTimeMilliseconds | 323 | 8 |
| portRangeEnd | 362 | 2 |
| portRangeStart | 361 | 2 |
| postNAPTDestinationTransportPort | 228 | 2 |
| postNAPTSourceTransportPort | 227 | 2 |
| postNATDestinationIPv4Address | 226 | 4 |
| postNATDestinationIPv6Address | 282 | 16 |
| postNATSourceIPv4Address | 225 | 4 |
| protocolIdentifier | 4 | 1 |
| sourceIPv4Address | 8 | 4 |
| sourceIPv6Address | 27 | 16 |
| sourceTransportPort | 7 | 2 |
IPFIX enterprise information elements
Description
IPFIX provides specifications for enterprises to define their own Information Elements. F5 currently does not use any non-standard IEs for CGNAT Events.
Individual IPFIX templates for each event
These tables specify the IPFIX templates used by F5 to publish CGNAT Events.
Each template contains a natEvent information element (IE). This element is currently defined by IANA to contain values of 1 (Create Event), 2 (Delete Event) and 3 (Pool Exhausted). In the future, it is possible that IANA will standardize additional values to distinguish between NAT44 and NAT64 events, and to allow for additional types of NAT events. For example, the http://datatracker.ietf.org/doc/draft-ietf-behave-ipfix-nat-logging Internet Draft proposes additional values for this IE for such events.
F5 uses the standard Create and Delete natEvent values in its IPFIX Data Records, rather than new (non-standard) specific values for NAT44 Create, NAT64 Create, and so on.
You can infer the semantics of each template (for example, whether or not the template applies to NAT44 Create, NAT64 Create, or DS-Lite Create) from the template's contents rather than from distinct values in the natEvent IE.
F5 CGNAT might generate different variants of NAT Session Create/Delete events, to cater to customer requirements such as the need to publish destination address information, or to specifically omit such information. Each variant has a distinct template.
The “Pool Exhausted” natEvent value is insufficiently descriptive to cover the possible NAT failure cases. Therefore, pending future updates to the natEvent Information Element, F5 uses some non-standard values to cover the following cases:
- 10 – Translation Failure
- 11 – Session Quota Exceeded
- 12 – Port Quota Exceeded
- 13 - Port Block Allocated
- 14 - Port Block Released
- 15 - Port Block Allocation (PBA) Client Block Limit Exceeded
- 16 - PBA Port Quota Exceeded
The following tables enumerate and define the IPFIX templates, and include the possible natEvent values for each template.
NAT44 session create – outbound variant
Description
This event is generated when a NAT44 client session is received from the subscriber side, and the LSN process successfully translates the source address/port.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| egressVRFID | 235 | 4 | The "LSN" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| postNATSourceIPv4Address | 225 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| postNAPTSourceTransportPort | 227 | 2 | |
| destinationIPv4Address | 12 | 4 | 0 (zero) if obscured. |
| destinationTransportPort | 11 | 2 | 0 (zero) if obscured. |
| natOriginatingAddressRealm | 229 | 1 | 1 (private/internal realm, subscriber side). |
| natEvent | 230 | 1 | 1 (for Create event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
NAT44 session delete – outbound variant
Description
This event is generated when a NAT44 client session is received from the subscriber side and the LSN process finishes the session.
By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:
modify sys db log.lsn.session.end value enable
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| egressVRFID | 235 | 4 | The "LSN" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| postNATSourceIPv4Address | 225 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| postNAPTSourceTransportPort | 227 | 2 | |
| destinationIPv4Address | 12 | 4 | 0 (zero) if obscured. |
| destinationTransportPort | 11 | 2 | 0 (zero) if obscured. |
| natOriginatingAddressRealm | 229 | 1 | 1 (private/internal realm, subscriber side). |
| natEvent | 230 | 1 | 2 (for Delete event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
| flowDurationMilliseconds | 161 | 4 | Duration in ms. |
NAT44 session create – inbound variant
Description
This event is generated when an inbound NAT44 client session is received from the internet side and connects to a client on the subscriber side.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "LSN" routing-domain ID. |
| egressVRFID | 235 | 4 | The "client" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| destinationIPv4Address | 12 | 4 | |
| postNATDestinationIPv4Address | 226 | 4 | |
| destinationTransportPort | 11 | 2 | |
| postNAPTDestinationTransportPort | 228 | 2 | |
| natOriginatingAddressRealm | 229 | 1 | 2 (public/external realm, Internet side). |
| natEvent | 230 | 1 | 1 (for Create event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
NAT44 session delete – inbound variant
Description
This event is generated when an inbound NAT44 client session is received from the internet side and connects to a client on the subscriber side. This event is the deletion of the inbound connection.
By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:
modify sys db log.lsn.session.end value enable
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "LSN" routing-domain ID. |
| egressVRFID | 235 | 4 | The "client" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| destinationIPv4Address | 12 | 4 | |
| postNATDestinationIPv4Address | 226 | 4 | |
| destinationTransportPort | 11 | 2 | |
| postNAPTDestinationTransportPort | 228 | 2 | |
| natOriginatingAddressRealm | 229 | 1 | 2 (public/external realm, Internet side). |
| natEvent | 230 | 1 | 2 (for Delete event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
| flowDurationMilliseconds | 161 | 4 | Duration in ms. |
NAT44 translation failed
Description
This event reports a NAT44 Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| destinationIPv4Address | 12 | 4 | 0 (zero) if obscured. |
| destinationTransportPort | 11 | 2 | 0 (zero) if obscured. |
| natEvent | 230 | 1 | 10 for Transmission Failed. |
| natPoolName | 284 | Variable | This IE is omitted for NetFlow v9. |
NAT44 quota exceeded
Description
This event is generated when an administratively configured policy prevents a successful NAT44 translation.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| natEvent | 230 | 1 | 11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded. |
| natPoolName | 284 | Variable | This IE is omitted for NetFlow v9. |
NAT44 port block allocated or released
Description
This event is generated when the BIG-IP software allocates or releases a block of ports for a NAT44 client. The event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it only issues an IPFIX log for every block of CGNAT translations. This reduces IPFIX traffic for CGNAT.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| egressVRFID | 235 | 4 | The egress routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| postNATSourceIPv4Address | 225 | 4 | |
| portRangeStart | 361 | 2 | |
| portRangeEnd | 362 | 2 | |
| natEvent | 230 | 1 | 13 for PBA, block Allocated, 14 for PBA, block released. |
NAT64 session create – outbound variant
Description
This event is generated when a NAT64 client session is received from the subscriber side and the LSN process successfully translates the source address/port.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| egressVRFID | 235 | 4 | The "LSN" routing-domain ID. |
| sourceIPv6Address | 27 | 16 | |
| postNATSourceIPv4Address | 225 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| postNAPTSourceTransportPort | 227 | 2 | |
| postNATDestinationIPv4Address | 226 | 4 | 0 (zero) if obscured. |
| destinationTransportPort | 11 | 2 | 0 (zero) if obscured. |
| natOriginatingAddressRealm | 229 | 1 | 1 (private/internal realm, subscriber side). |
| natEvent | 230 | 1 | 1 (for Create event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
NAT64 session delete – outbound variant
Description
This event is generated when a NAT64 client session is received from the subscriber side and the LSN process finishes the outbound session.
By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:
modify sys db log.lsn.session.end value enable
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| egressVRFID | 235 | 4 | The "LSN" routing-domain ID. |
| sourceIPv6Address | 27 | 16 | |
| postNATSourceIPv4Address | 225 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| postNAPTSourceTransportPort | 227 | 2 | |
| postNATDestinationIPv4Address | 226 | 4 | 0 (zero) if obscured. |
| destinationTransportPort | 11 | 2 | 0 (zero) if obscured. |
| natOriginatingAddressRealm | 229 | 1 | 1 (private/internal realm, subscriber side). |
| natEvent | 230 | 1 | 2 (for Delete event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
| flowDurationMilliseconds | 161 | 4 | Duration in ms. |
NAT64 session create – inbound variant
Description
This event is generated when a client session comes in from the internet side and successfully connects to a NAT64 client on the subscriber side.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "LSN" routing-domain ID. |
| egressVRFID | 235 | 4 | The "client" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| destinationIPv4Address | 12 | 4 | |
| postNATDestinationIPv6Address | 282 | 16 | |
| destinationTransportPort | 11 | 2 | |
| postNAPTDestinationTransportPort | 228 | 2 | |
| natOriginatingAddressRealm | 229 | 1 | 2 (public/external realm, Internet side). |
| natEvent | 230 | 1 | 1 (for Create event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
NAT64 session delete – inbound variant
Description
This event is generated when a client session comes in from the internet side and successfully connects to a NAT64 client on the subscriber side. This event is the deletion of the inbound connection.
By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:
modify sys db log.lsn.session.end value enable
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "LSN" routing-domain ID. |
| egressVRFID | 235 | 4 | The "client" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| destinationIPv4Address | 12 | 4 | |
| postNATDestinationIPv6Address | 282 | 16 | |
| destinationTransportPort | 11 | 2 | |
| postNAPTDestinationTransportPort | 228 | 2 | |
| natOriginatingAddressRealm | 229 | 1 | 2 (public/external realm, Internet side). |
| natEvent | 230 | 1 | 2 (for Delete event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
| flowDurationMilliseconds | 161 | 4 | Duration in ms. |
NAT64 translation failed
Description
This event reports a NAT64 Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| sourceIPv6Address | 27 | 16 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| destinationIPv4Address | 12 | 4 | 0 (zero) if obscured. |
| destinationTransportPort | 11 | 2 | 0 (zero) if obscured. |
| natEvent | 230 | 1 | 10 for Transmission Failed. |
| natPoolName | 284 | Variable | This IE is omitted for NetFlow v9. |
NAT64 quota exceeded
Description
This event is generated when an administratively configured policy prevents a successful NAT64 translation.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| sourceIPv6Address | 27 | 16 | |
| natEvent | 230 | 1 | 11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded. |
| natPoolName | 284 | Variable | This IE is omitted for NetFlow v9. |
NAT64 port block allocated or released
Description
This event is generated when the BIG-IP software allocates or releases a block of ports for a NAT64 client. The event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it only issues an IPFIX log for every block of CGNAT translations. This reduces IPFIX traffic for CGNAT.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| egressVRFID | 235 | 4 | The egress routing-domain ID. |
| sourceIPv6Address | 27 | 16 | |
| postNATSourceIPv4Address | 225 | 4 | |
| portRangeStart | 361 | 2 | |
| portRangeEnd | 362 | 2 | |
| natEvent | 230 | 1 | 13 for PBA, block Allocated, 14 for PBA, block released. |
DS-Lite session create – outbound variant
Description
This event is generated when a DS-Lite client session is received on the subscriber side and the LSN process successfully translates the source address/port. The client's DS-Lite IPv6 remote endpoint address is reported using IE lsnDsLiteRemoteV6asSource.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| egressVRFID | 235 | 4 | The "LSN" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| postNATSourceIPv4Address | 225 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| postNAPTSourceTransportPort | 227 | 2 | |
| sourceIPv6Address | 27 | 16 | DS-Lite remote endpoint IPv6 address. |
| destinationIPv4Address | 12 | 4 | 0 (zero) if obscured. |
| destinationTransportPort | 11 | 2 | 0 (zero) if obscured. |
| natOriginatingAddressRealm | 229 | 1 | 1 (private/internal realm, subscriber side). |
| natEvent | 230 | 1 | 1 (for Create event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
DS-Lite session delete – outbound variant
Description
This event is generated when a DS-Lite client session is received from the subscriber side and the LSN process finishes with the outbound session.
By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:
modify sys db log.lsn.session.end value enable
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| egressVRFID | 235 | 4 | The "LSN" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| postNATSourceIPv4Address | 225 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| postNAPTSourceTransportPort | 227 | 2 | |
| sourceIPv6Address | 27 | 16 | DS-Lite remote endpoint IPv6 address. |
| destinationIPv4Address | 12 | 4 | 0 (zero) if obscured. |
| destinationTransportPort | 11 | 2 | 0 (zero) if obscured. |
| natOriginatingAddressRealm | 229 | 1 | 1 (private/internal realm, subscriber side). |
| natEvent | 230 | 1 | 2 (for Delete event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
| flowDurationMilliseconds | 161 | 4 | Duration in ms. |
DS-Lite session create – inbound variant
Description
This event is generated when an inbound client session comes in from the internet side and connects to a DS-Lite client on the subscriber side.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "LSN" routing-domain ID. |
| egressVRFID | 235 | 4 | The "client" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| destinationIPv4Address | 12 | 4 | |
| postNATDestinationIPv6Address | 282 | 16 | DS-Lite remote endpoint IPv6 address. |
| postNATDestinationIPv4Address | 226 | 4 | |
| destinationTransportPort | 11 | 2 | |
| postNAPTDestinationTransportPort | 228 | 2 | |
| natOriginatingAddressRealm | 229 | 1 | 2 (public/external realm, Internet side). |
| natEvent | 230 | 1 | 1 (for Create event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
DS-Lite session delete – inbound variant
Description
This event is generated when an inbound client session comes in from the internet side and connects to a DS-Lite client on the subscriber side. This event marks the end of the inbound connection, when the connection is deleted.
By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:
modify sys db log.lsn.session.end value enable
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "LSN" routing-domain ID. |
| egressVRFID | 235 | 4 | The "client" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| destinationIPv4Address | 12 | 4 | |
| postNATDestinationIPv6Address | 282 | 16 | |
| postNATDestinationIPv4Address | 226 | 4 | |
| destinationTransportPort | 11 | 2 | |
| postNAPTDestinationTransportPort | 228 | 2 | |
| natOriginatingAddressRealm | 229 | 1 | 2 (public/external realm, Internet side). |
| natEvent | 230 | 1 | 2 (for Delete event). |
| flowStartMilliseconds | 152 | 8 | Start time, in ms since Epoch (1/1/1970). |
| flowDurationMilliseconds | 161 | 4 | Duration in ms. |
DS-Lite translation failed
Description
This event reports a DS-Lite Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | IPv4 address used by F5 CGNAT in the IPv4-mapped IPv6 format, for the DS-Lite tunnel terminated on the BIG-IP. |
| protocolIdentifier | 4 | 1 | |
| sourceTransportPort | 7 | 2 | |
| sourceIPv6Address | 27 | 16 | IPv6 address for remote endpoint of the DS-Lite tunnel. |
| destinationIPv4Address | 12 | 4 | 0 (zero) if obscured. |
| destinationTransportPort | 11 | 2 | 0 (zero) if obscured. |
| natEvent | 230 | 1 | 10 for Transmission Failed. |
| natPoolName | 284 | Variable | This IE is omitted for NetFlow v9. |
DS-Lite quota exceeded
Description
This event is generated when an administratively configured policy prevents a successful NAT translation in a DS-Lite context.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| sourceIPv4Address | 8 | 4 | |
| sourceIPv6Address | 27 | 16 | DS-Lite remote endpoint IPv6 address. |
| natEvent | 230 | 1 | 11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded. |
| natPoolName | 284 | Variable | This IE is omitted for NetFlow v9. |
DS-Lite port block allocated or released
Description
This event is generated when the BIG-IP software allocates or releases a block of ports for a DS-Lite client. This event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it issues an IPFIX log for every block of CGNAT translations rather than each individual translation. This reduces IPFIX traffic for CGNAT.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| observationTimeMilliseconds | 323 | 8 | |
| ingressVRFID | 234 | 4 | The "client" routing-domain ID. |
| egressVRFID | 235 | 4 | The egress routing-domain ID. |
| sourceIPv6Address | 27 | 16 | |
| postNATSourceIPv4Address | 225 | 4 | |
| portRangeStart | 361 | 2 | |
| portRangeEnd | 362 | 2 | |
| natEvent | 230 | 1 | 13 for PBA, block Allocated, 14 for PBA, block released. |
