ADC

Logging and Monitoring DS-Lite

You can log DS-Lite information to diagnose or troubleshoot problems, and to meet legal requirements. The Citrix ADC appliance supports all LSN logging features for logging DS-Lite information. For configuring DS-Lite logging, use the procedures for configuring LSN logging, described at Logging and Monitoring LSN.

A log message for a DS-Lite LSN mapping entry consists of the following information:

  • Citrix ADC owned IP address (NSIP address or SNIP address) from which the log message is sourced
  • Time stamp
  • Entry type (MAPPING)
  • Whether the DS-Lite LSN mapping entry was created or deleted
  • IPv6 address of B4
  • Subscriber’s IP address, port, and traffic domain ID
  • NAT IP address and port
  • Protocol name
  • Destination IP address, port, and traffic domain ID might be present, depending on the following conditions:
    • Destination IP address and port are not logged for Endpoint-Independent mapping.
    • Only the destination IP address is logged for Address-Dependent mapping. The port is not logged.
    • Destination IP address and port are logged for Address-Port-Dependent mapping.

A log message for a DS-Lite session consists of the following information:

  • Citrix ADC owned IP address (NSIP address or SNIP address) from which the log message is sourced
  • Time stamp
  • Entry type (SESSION)
  • Whether the DS-Lite session is created or removed
  • IPv6 address of B4
  • Subscriber’s IP address, port, and traffic domain ID
  • NAT IP address and port
  • Protocol name
  • Destination IP address, port, and traffic domain ID

The following table shows sample DS-Lite log entries of each type stored on the configured log servers. These log entries are generated by a Citrix ADC appliance whose NSIP address is 10.102.37.115.You can log DS-Lite information to diagnose or troubleshoot problems, and to meet legal requirements. The Citrix ADC appliance supports all LSN logging features for logging DS-Lite information. For configuring DS-Lite logging, use the procedures for configuring LSN logging, described at Logging and Monitoring LSN.

A log message for a DS-Lite LSN mapping entry consists of the following information:

  • Citrix ADC owned IP address (NSIP address or SNIP address) from which the log message is sourced
  • Time stamp
  • Entry type (MAPPING)
  • Whether the DS-Lite LSN mapping entry was created or deleted
  • IPv6 address of B4
  • Subscriber’s IP address, port, and traffic domain ID
  • NAT IP address and port
  • Protocol name
  • Destination IP address, port, and traffic domain ID might be present, depending on the following conditions:
    • Destination IP address and port are not logged for Endpoint-Independent mapping.
    • Only the destination IP address is logged for Address-Dependent mapping. The port is not logged.
    • Destination IP address and port are logged for Address-Port-Dependent mapping.

A log message for a DS-Lite session consists of the following information:

  • Citrix ADC owned IP address (NSIP address or SNIP address) from which the log message is sourced
  • Time stamp
  • Entry type (SESSION)
  • Whether the DS-Lite session is created or removed
  • IPv6 address of B4
  • Subscriber’s IP address, port, and traffic domain ID
  • NAT IP address and port
  • Protocol name
  • Destination IP address, port, and traffic domain ID

The following table shows sample DS-Lite log entries of each type stored on the configured log servers. These log entries are generated by a Citrix ADC appliance whose NSIP address is 10.102.37.115.

   
LSN Log Entry Type Sample Log Entry
DS-Lite session creation Local4.Informational 10.102.37.115 08/14/2015:13:35:38 GMT   0-PPE-1 : default LSN LSN_SESSION 37647607 0 :  SESSION CREATED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 203.0.113.61:3002, Destination IP:Port:TD 198.51.100.250:80:0, Protocol:TCP
DS-Lite session deletion Local4.Informational 10.102.37.115 08/14/2015:13:38:22 GMT   0-PPE-1 : default LSN LSN_SESSION 37647617 0 :  SESSION DELETED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 203.0.113.61:3002, Destination IP:Port:TD 198.51.100.250:80:0, Protocol: TCP
DS-Lite LSN mapping creation Local4.Informational 10.102.37.115 08/14/2015:13:35:39 GMT  0-PPE-1 : default LSN LSN_EIM_MAPPING 37647610 0 :  EIM CREATED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 198.51.100.250:80, Protocol: TCP
DS-Lite LSN mapping deletion Local4.Informational 10.102.37.115 08/14/2015:13:38:25 GMT  0-PPE-1 : default LSN LSN_EIM_MAPPING 37647618 0 :  EIM DELETED 2001:DB8::3:4 Client IP:Port:TD 192.0.2.51:2552:0, NatIP:NatPort 198.51.100.250:80, Protocol: TCP

Displaying Current DS-Lite Sessions

You can display the current DS-Lite sessions for detecting any unwanted or inefficient sessions on the Citrix ADC appliance. You can display all or some DS-Lite sessions, on the basis of selection parameters.

To display all DS-Lite sessions by using the command line interface

At the command prompt, type:

show lsn session –nattype DS-Lite
<!--NeedCopy-->

To display selected DS-Lite sessions by using the command line interface

At the command prompt, type:

show lsn session –nattype DS-Lite [-clientname <string>] [-network <ip_addr> [-netmask <netmask>] [-td <positive_integer>]] [-natIP <ip_addr> [-natPort <port>]]
<!--NeedCopy-->

The following sample ouput displays all DS-Lite sessions existing on a Citrix ADC appliance:

show lsn session –nattype DS-Lite

  B4-Address SubscrIP SubscrPort SubscrTD DstIP DstPort DstTD NatIP NatPort Proto Dir

1. 2001:DB8::3:4 192.0.2.51 2552 0 198.51.100.250 80 0 203.0.113.61 3002 TCP OUT

2. 2001:DB8::3:4 192.0.2.51 3551 0 198.51.100.300 80 0 203.0.113.61 52862 TCP OUT

3. 2001:DB8::3:4 192.0.2.100 4556 0 198.51.100.250 0 0 203.0.113.61 48116 ICMP OUT

4. 2001: DB8::190 192.0.2.150 3881 0 198.51.100.199 80 0 203.0.113.69 48305 TCP OUT
Done
<!--NeedCopy-->

Configuration Using the Configuration Utility

To display all or selected DS-Lite sessions by using the configuration utility

  1. Navigate to System > Large Scale NAT > Sessions, and click the DS-Lite tab.
  2. For displaying DS-Lite sessions on the basis of selection parameters, click Search.

Clearing DS-Lite Sessions

You can remove any unwanted or inefficient DS-Lite sessions from the Citrix ADC appliance. The appliance immediately releases the resources (such as NAT IP address, port, and memory) allocated for these sessions, making the resources available for new sessions. The appliance also drops all the subsequent packets related to these removed sessions. You can remove all or selected DS-Lite sessions from the Citrix ADC appliance.

To clear all DS-Lite sessions by using the command line interface

At the command prompt, type:

flush lsn session –nattype DS-Lite

show lsn session –nattype DS-Lite
<!--NeedCopy-->

To clear selected DS-Lite sessions by using the command line interface

At the command prompt, type:

flush lsn session –nattype DS-Lite [-clientname <string>] [-network <ip_addr> [-netmask <netmask>] [-td <positive_integer>]] [-natIP <ip_addr> [-natPort <port>]]

show lsn session –nattype DS-Lite
<!--NeedCopy-->

To clear all or selected DS-Lite sessions by using the configuration utility

  1. Navigate to System > Large Scale NAT > Sessions, and click the DS-Lite tab.
  2. Click Flush Sessions.

Logging HTTP Header Information

The Citrix ADC appliance can log request header information of an HTTP connection that is using the DS-Lite functionality. The following header information of an HTTP request packet can be logged:

  • URL that the HTTP request is destined to
  • HTTP Method specified in the HTTP request
  • HTTP version used in the HTTP request
  • IPv4 address of the subscriber that sent the HTTP request

The HTTP header logs can be used by ISPs to see the trends related to the HTTP protocol among a set of subscribers. For example, an ISP can use this feature to find out the most popular website among a set of subscribers.

Configuration Steps

Perform the following tasks for configuring the Citrix ADC appliance to log HTTP header information:

  • Create an HTTP header log profile. An HTTP header log profile is a collection of HTTP header attributes (for example, URL and HTTP method) that can be enabled or disabled for logging.
  • Bind the HTTP header to an LSN group of a DS-Lite LSN configuration. Bind the HTTP header log profile to an LSN group of an LSN configuration by setting the HTTP header log profile name parameter to the name of the created HTTP header log profile. The Citrix ADC appliance then logs HTTP header information of any HTTP requests related to the LSN group. An HTTP header log profile can be bound to multiple LSN groups, but an LSN group can have only one HTTP header log profile.

To create an HTTP header log profile by using the command line interface

At the command prompt, type:

add lsn httphdrlogprofile <httphdrlogprofilename> [-logURL ( ENABLED | DISABLED )] [-logMethod ( ENABLED | DISABLED )] [-logVersion ( ENABLED | DISABLED )] [-logHost ( ENABLED | DISABLED )]

show lsn httphdrlogprofile
<!--NeedCopy-->

To bind an HTTP header log profile to an LSN group by using the command line interface

At the command prompt, type:

bind lsn group <groupname> -httphdrlogprofilename <string>

show lsn group <groupname>
<!--NeedCopy-->

Sample Configuration

In the following DS-Lite LSN configuration, HTTP header log profile HTTP-Header-LOG-1 is bound to LSN group LSN-DSLITE-GROUP-1. The log profile has all the HTTP attributes (URL, HTTP method, HTTP version, and HOST IP address) enabled for logging, so that all these attributes are logged for any HTTP requests from B4 devices (in the network 2001:DB8:5001::/96).

Sample Configuration:

add lsn httphdrlogprofile HTTP-HEADER-LOG-1

Done

add lsn client LSN-DSLITE-CLIENT-1

Done

bind lsn client LSN-DSLITE-CLIENT-1 -network6 2001:DB8::3:0/100

Done

add lsn pool LSN-DSLITE-POOL-1

Done

bind lsn pool LSN-DSLITE-POOL-1 203.0.113.61 - 203.0.113.70

Done

add lsn ip6profile LSN-DSLITE-PROFILE-1 -type DS-Lite -network6 2001:DB8::5:6

Done

add lsn group LSN-DSLITE-GROUP-1 -clientname LSN-DSLITE-CLIENT-1 -portblocksize 1024 -ip6profile LSN-DSLITE-PROFILE-1

Done

bind lsn group LSN-DSLITE-GROUP-1 -poolname LSN-DSLITE-POOL-1

Done

bind lsn group LSN-DSLITE-GROUP-1 -httphdrlogprofilename HTTP-HEADER-LOG-1

Done
<!--NeedCopy-->

IPFIX Logging

The Citrix ADC appliance supports sending information about LSN events in Internet Protocol Flow Information Export (IPFIX) format to the configured set of IPFIX collector(s). The appliance uses the existing AppFlow feature to send LSN events in IPFIX format to the IPFIX collectors.

IPFIX based logging is available for the following DS_Lite related events:

  • Creation or deletion of an LSN session.
  • Creation or deletion of an LSN mapping entry.
  • Allocation or de-allocation of port blocks in the context of deterministic NAT.
  • Allocation or de-allocation of port blocks in the context of dynamic NAT.
  • Whenever subscriber session quota is exceeded.

Points to Consider before you Configure IPFIX logging

Before you start configuring IPSec ALG, consider the following points:

Configuration Steps

Perform the following tasks for logging LSN information in IPFIX format:

  • Enable LSN logging in the AppFlow configuration. Enable the LSN logging parameter as part of AppFlow configuration.
  • Create an LSN log profile. An LSN log profile includes the IPFIX parameter that enables or disables the log information in IPFIX format.
  • Bind the LSN log profile to an LSN group of an LSN configuration. Bind the LSN log profile to one or multiple LSN group(s). Events related to the bound LSN group will be logged in IPFIX format.

To enable LSN logging in the AppFlow configuration by using the CLI

At the command prompt, type:

set appflow param -lsnLogging (ENABLED |DISABLED )

show appflow param
<!--NeedCopy-->

To create an LSN log profile by using the CLIAt the command prompt, type

At the command prompt, type:

set lsn logprofile <logProfileName>  -logipfix ( ENABLED | DISABLED )

show lsn logprofile
<!--NeedCopy-->

To bind the LSN log profile to an LSN group of an LSN configuration by using the CLI

At the command prompt, type:

bind lsn group <groupname>  -logProfileName <lsnlogprofilename>

show lsn group
<!--NeedCopy-->

To create an LSN log profile by using the GUI

Navigate to System > Large Scale NAT > Profiles, click Log tab, and then add a log profile.

To bind the LSN log profile to an LSN group of an LSN configuration by using the GUI

  1. Navigate to System > Large Scale NAT > LSN Group, open the LSN group.
  2. In Advanced Settings, click + Log Profile to bind the created Log profile to the LSN group.
Logging and Monitoring DS-Lite