ADC

Configuration Steps for LSN

Configuring LSN on a Citrix ADC appliance consists of the following tasks:

  1. Set the global LSN parameters. Global parameters include the amount of Citrix ADC memory reserved for the LSN feature and synchronization of LSN sessions in a high availability setup.
  2. Create an LSN client entity and bind subscribers to it. An LSN client entity is a set of subscribers on whose traffic you want the Citrix ADC appliance to perform LSN. The client entity includes IPv4 addresses and extended ACL rules for identifying subscribers. An LSN client can be bound to only one LSN group. The command line interface has two commands for creating an LSN client entity and binding a subscriber to the LSN client entity. The configuration utility combines these two operations on a single screen.
  3. Create an LSN pool and bind NAT IP addresses to it. An LSN pool defines a pool of NAT IP addresses to be used by the Citrix ADC appliance to perform LSN. The pool is assigned parameters, such as port block allocation and NAT type (Deterministic or Dynamic). An LSN pool bound to an LSN group applies to all subscribers of an LSN client entity bound to the same group. Only LSN Pools and LSN groups with the same NAT type settings can be bound together. Multiple LSN pools can be bound to an LSN group. For Dynamic NAT, an LSN pool can be bound to multiple LSN groups. For Deterministic NAT, pools bound to an LSN group cannot be bound to other LSN groups. The command line interface has two commands for creating an LSN pool and binding NAT IP addresses to the LSN pool. The configuration utility combines these two operations on a single screen.
  4. (Optional) Create an LSN Transport Profile for a specified protocol. An LSN transport profile defines various timeouts and limits, such as maximum LSN sessions and maximum ports usage, that a subscriber can have for a given protocol. You bind an LSN transport profile for each protocol (TCP, UDP, and ICMP) to an LSN group. A profile can be bound to multiple LSN groups. A profile bound to an LSN group applies to all subscribers of an LSN client bound to the same group. By default, one LSN transport profile with default settings for TCP, UDP, and ICMP protocols is bound to an LSN group during its creation. This profile is called default transport profile. An LSN transport profile that you bind to an LSN group overrides the default LSN transport profile for that protocol.
  5. (Optional) Create an LSN Application Profile for a specified protocol and bind a set of destination ports to it. An LSN application profile defines the LSN mapping and LSN filtering controls of a group for a given protocol and for a set of destination ports. For a set of destination ports, you bind an LSN profile for each protocol (TCP, UDP, and ICMP) to an LSN group. A profile can be bound to multiple LSN groups. An LSN application profile bound to an LSN group applies to all subscribers of an LSN client bound to the same group. By default, one LSN application profile with default settings for TCP, UDP, and ICMP protocols for all destination ports is bound to an LSN group during its creation. This profile is called a default application profile. When you bind an LSN application profile, with a specified set of destination ports, to an LSN group, the bound profile overrides the default LSN application profile for that protocol at that set of destination ports. The command line interface has two commands for creating an LSN application profile and binding a set of destination ports to the LSN application profile. The configuration utility combines these two operations on a single screen.
  6. Create an LSN Group and bind LSN pools, (optional) LSN transport profiles, and (optional) LSN application profiles to the LSN group. An LSN group is an entity consisting of an LSN client, LSN pool(s), LSN transport profile(s), and LSN application profiles(s). A group is assigned parameters, such as port block size and logging of LSN sessions. The parameter settings apply to all the subscribers of an LSN client bound to the LSN group. Only LSN Pools and LSN groups with the same NAT type settings can be bound together. Multiples LSN pools can be bound to an LSN group. For Dynamic NAT, an LSN pool can be bound to multiple LSN groups. For Deterministic NAT, pools bound to an LSN group cannot be bound to other LSN groups. Only one LSN client entity can be bound to an LSN group, and an LSN client entity bound to an LSN group cannot be bound to other LSN groups. The command line interface has two commands for creating an LSN group and binding LSN pools, LSN transport profiles, LSN application profiles to the LSN group. The configuration utility combines these two operations in a single screen.

The following table lists the maximum numbers of different LSN entities and bindings that can be created on a Citrix ADC appliance. These limits are also subject to memory available on the Citrix ADC appliance.

LSN entities and bindings Limit
LSN clients 1024
LSN pools 128
LSN groups 1024
Subscriber networks that can be bound to an LSN client 64
Extended ACLs that can be bound to an LSN client 1024
NAT IP addresses in a Pool 4096
LSN pools that can be bound to an LSN group 8
LSN groups that can use the same LSN pool 16
LSN transport profiles that can be bound to an LSN group 3 (one each for TCP, UDP, and ICMP protocols )
LSN groups that can use same LSN transport profile 8
LSN application profiles that can be bound to an LSN group 64
LSN groups that can use same LSN application profile 8
Port ranges that can be bound to an LSN application profile 8

Configuration Using the Command Line Interface

To create an LSN client by using the command line interface

At the command prompt, type:

add lsn client <clientname>

show lsn client
<!--NeedCopy-->

To bind a network address or an ACL rule to an LSN client by using the command line interface

At the command prompt, type:

bind lsn client <clientname> ((-network <ip_addr> [-netmask <netmask>] [-td<positive_integer>]) | -aclname <string>)

show lsn client
<!--NeedCopy-->

To create an LSN pool by using the command line interface

At the command prompt, type:

add lsn pool <poolname> [-nattype ( DYNAMIC | DETERMINISTIC )] [-portblockallocation ( ENABLED | DISABLED )] [-portrealloctimeout <secs>] [-maxPortReallocTmq <positive_integer>]

show lsn pool
<!--NeedCopy-->

To bind an IP address range to an LSN pool by using the command line interface

At the command prompt, type:

bind lsn pool <poolname> <lsnip>

show lsn pool
<!--NeedCopy-->

Note: For removing LSN IP addresses from an LSN  pool, use the unbind lsn pool command.

To create an LSN transport profile by using the command line interface

At the command prompt, type:

add lsn transportprofile <transportprofilename> <transportprotocol> [-sessiontimeout <secs>] [-finrsttimeout <secs>] [-portquota <positive_integer>] [-sessionquota <positive_integer>] [-portpreserveparity ( ENABLED | DISABLED )] [-portpreserverange (ENABLED | DISABLED )] [-syncheck ( ENABLED | DISABLED )]

show lsn transportprofile
<!--NeedCopy-->

To create an LSN application profile by using the command line interface

At the command prompt, type:

add lsn appsprofile <appsprofilename> <transportprotocol> [-ippooling (PAIRED | RANDOM )] [-mapping <mapping>] [-filtering <filtering>][-tcpproxy ( ENABLED | DISABLED )] [-td <positive_integer>]

show lsn appsprofile
<!--NeedCopy-->

To bind an application protocol port range to an LSN application profile by using the command line interface

At the command prompt, type:

bind lsn appsprofile <appsprofilename> <lsnport>

show lsn appsprofile
<!--NeedCopy-->

To create an LSN group by using the command line interface

At the command prompt, type:

add lsn group <groupname> -clientname <string> [-nattype ( DYNAMIC |DETERMINISTIC )] [-portblocksize <positive_integer>] [-logging (ENABLED | DISABLED )] [-sessionLogging ( ENABLED | DISABLED )][-sessionSync (ENABLED | DISABLED )] [-snmptraplimit <positive_integer>] [-ftp ( ENABLED | DISABLED )]

show lsn group
<!--NeedCopy-->

To bind LSN profiles and LSN pools to an LSN group by using the command line interface

At the command prompt, type:

bind lsn group <groupname> (-poolname <string> | -transportprofilename <string> | -appsprofilename <string>)

show lsn group
<!--NeedCopy-->

Configuration Using the Configuration Utility

To configure an LSN client and bind an IPv4 network address or an ACL rule by using the configuration utility

Navigate to System > Large Scale NAT > Clients, and add a client and then bind an IPv4 network address or an ACL rule to the client.

To configure an LSN pool and bind NAT IP addresses by using the configuration utility

Navigate to System > Large Scale NAT > Pools, and add a pool and then bind an NAT IP address or a range of NAT IP addresses to the pool.

To configure an LSN transport profile by using the configuration utility

  1. Navigate to System > Large Scale NAT > Profiles.
  2. On the details pane, click Transport tab, and then add a transport profile.

To configure an LSN application profile by using the configuration utility

  1. Navigate to System > Large Scale NAT > Profiles.
  2. On the details pane, click Application tab, and then add an application profile.

To configure an LSN group and bind an LSN client, pools, transport profiles, and application profiles by using the configuration utility

Navigate to System > Large Scale NAT > Groups, and add a group and then bind an LSN client, pools, transport profiles, and application profiles to the group.

Parameter Descriptions (of commands listed in the CLI procedure)

  • add lsn client

    • clientname

      Name for the LSN client entity. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the LSN client is created. The following requirement applies only to the CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “lsn client1” or ‘lsn client1’).

      This is a mandatory argument. Maximum Length: 127

Parameter Descriptions (of commands listed in the CLI procedure)

  • bind lsn client

    • clientname

      Name for the LSN client entity. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the LSN client is created. The following requirement applies only to the CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “lsn client1” or ‘lsn client1’).

      This is a mandatory argument. Maximum Length: 127

    • network

      IPv4 address(es) of the LSN subscriber(s) or subscriber network(s) on whose traffic you want the Citrix ADC appliance to perform Large Scale NAT.

    • netmask

      Subnet mask for the IPv4 address specified in the Network parameter.

      Default value: 255.255.255.255

    • td

      ID of the traffic domain on which this subscriber or the subscriber network (as specified by the network parameter) belongs.

      If you do not specify an ID, the subscriber or the subscriber network becomes part of the default traffic domain.

      Default value: 0

      Minimum value: 0

      Maximum value: 4094

    • aclname

      Name(s) of any configured extended ACL(s) whose action is ALLOW. The condition specified in the extended ACL rule identifies the traffic from an LSN subscriber for which the Citrix ADC appliance is to perform large scale NAT. Maximum Length: 127

Parameter Descriptions (of commands listed in the CLI procedure)

  • add lsn pool

    • poolname

      Name for the LSN pool. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the LSN pool is created. The following requirement applies only to the CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “lsn pool1” or ‘lsn pool1’).

      This is a mandatory argument. Maximum Length: 127

    • nattype

      Type of NAT IP address and port allocation (from the LSN pools bound to an LSN group) for subscribers (of the LSN client entity bound to the LSN group):

      Available options function as follows:

      • Deterministic—Allocate a NAT IP address and a block of ports to each subscriber (of the LSN client bound to the LSN group). The Citrix ADC appliance sequentially allocates NAT resources to these subscribers. The Citrix ADC appliance assigns the first block of ports (block size determined by the port block size parameter of the LSN group) on the beginning NAT IP address to the beginning subscriber IP address. The next range of ports is assigned to the next subscriber, and so on, until the NAT address does not have enough ports for the next subscriber. In this case, the first port block on the next NAT address is used for the subscriber, and so on. Because each subscriber now receives a deterministic NAT IP address and a block of ports, a subscriber can be identified without any need for logging. For a connection, a subscriber can be identified based only on the NAT IP address and port, and the destination IP address and port.

      • Dynamic—Allocate a random NAT IP address and a port from the LSN NAT pool for a subscribers connection. If port block allocation is enabled (in LSN pool) and a port block size is specified (in the LSN group), the Citrix ADC appliance allocates a random NAT IP address and a block of ports for a subscriber when it initiates a connection for the first time. The appliance allocates this NAT IP address and a port (from the allocated block of ports) for different connections from this subscriber. If all the ports are allocated (for different subscribers connections) from the subscribers allocated port block, the appliance allocates a new random port block for the subscriber. Only LSN Pools and LSN groups with the same NAT type settings can be bound together. Multiples LSN pools can be bound to an LSN group.

        Possible values: DYNAMIC, DETERMINISTIC

        Default value: DYNAMIC

    • portblockallocation

      Allocate a random NAT port block, from the available NAT port pool of an NAT IP address, for each subscriber when the NAT allocation is set as Dynamic NAT. For any connection initiated from a subscriber, the Citrix ADC appliance allocates a NAT port from the subscribers allocated NAT port block to create the LSN session.

      You must set the port block size in the bound LSN group. For a subscriber, if all the ports are allocated from the subscribers allocated port block, the Citrix ADC appliance allocates a new random port block for the subscriber.

      For Deterministic NAT, this parameter is enabled by default, and you cannot disable it.

      Possible values: ENABLED, DISABLED

      Default value: DISABLED

    • portrealloctimeout

      The waiting time, in seconds, between deallocating LSN NAT ports (when an LSN mapping is removed) and reallocating them for a new LSN session. This parameter is necessary in order to prevent collisions between old and new mappings and sessions. It ensures that all established sessions are broken instead of redirected to a different subscriber. This is not applicable for ports used in:

      • Deterministic NAT
      • Address-Dependent filtering and Address-Port-Dependent filtering
      • Dynamic NAT with port block allocation

      In these cases, ports are immediately reallocated.

      Default value: 0

      Maximum value: 600

    • maxPortReallocTmq

      Maximum number of ports for which the port reallocation timeout applies for each NAT IP address. In other words, the maximum deallocated-port queue size for which the reallocation timeout applies for each NAT IP address.

      When the queue size is full, the next port deallocated is reallocated immediately for a new LSN session.

      Default value: 65536

      Maximum value: 65536

Parameter Descriptions (of commands listed in the CLI procedure)

  • bind lsn pool

    • poolname

      Name for the LSN pool. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the LSN pool is created. The following requirement applies only to the CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “lsn pool1” or ‘lsn pool1’).

      This is a mandatory argument. Maximum Length: 127

    • lsnip

      IPv4 address or a range of IPv4 addresses to be used as NAT IP address(es) for LSN.

      After the pool is created, these IPv4 addresses are added to the Citrix ADC appliance as Citrix ADC owned IP address of type LSN. An LSN IP address associated with an LSN pool cannot be shared with other LSN pools. IP addresses specified for this parameter must not already exist on the Citrix ADC appliance as any Citrix ADC owned IP addresses. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189. You can later remove some or all the LSN IP addresses from the pool, and add IP addresses to the LSN pool.

Parameter Descriptions (of commands listed in the CLI procedure)

  • add lsn transportprofile

    • transportprofilename

      Name for the LSN transport profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the LSN transport profile is created. The following requirement applies only to the CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “lsn transport profile1” or ‘lsn transport profile1’).

      This is a mandatory argument. Maximum Length: 127

    • transportprotocol

      Protocol for which to set the LSN transport profile parameters.

      This is a mandatory argument.

      Possible values: TCP, UDP, ICMP

    • sessiontimeout

      Timeout, in seconds, for an idle LSN session. If an LSN session is idle for a time that exceeds this value, the Citrix ADC appliance removes the session.

      This timeout does not apply for a TCP LSN session when a FIN or RST message is received from either of the endpoints.

      Default value: 120

      Minimum value: 60

    • finrsttimeout

      Timeout, in seconds, for a TCP LSN session after a FIN or RST message is received from one of the endpoints.

      f a TCP LSN session is idle (after the Citrix ADC appliance receives a FIN or RST message) for a time that exceeds this value, the Citrix ADC appliance removes the session.

      Since the LSN feature of the Citrix ADC appliance does not maintain state information of any TCP LSN sessions, this timeout accommodates the transmission of the FIN or RST, and ACK messages from the other endpoint so that both endpoints can properly close the connection.

      Default value: 30

    • portquota

      Maximum number of LSN NAT ports to be used at a time by each subscriber for the specified protocol. For example, each subscriber can be limited to a maximum of 500 TCP NAT ports. When the LSN NAT mappings for a subscriber reach the limit, the Citrix ADC appliance does not allocate additional NAT ports for that subscriber.

      Default value: 0

      Minimum value: 0

      Maximum value: 65535

    • sessionquota

      Maximum number of concurrent LSN sessions allowed for each subscriber for the specified protocol. When the number of LSN sessions reaches the limit for a subscriber, the Citrix ADC appliance does not allow the subscriber to open additional sessions.

      Default value: 0

      Minimum value: 0

      Maximum value: 65535

    • portpreserveparity

      Enable port parity between a subscriber port and its mapped LSN NAT port. For example, if a subscriber initiates a connection from an odd numbered port, the Citrix ADC appliance allocates an odd numbered LSN NAT port for this connection. You must set this parameter for proper functioning of protocols that require the source port to be even or odd numbered, for example, in peer-to-peer applications that use RTP or RTCP protocol.

      Possible values: ENABLED, DISABLED

      Default value: DISABLED

    • portpreserverange

      If a subscriber initiates a connection from a well-known port (0-1023), allocate a NAT port from the well-known port range (0-1023) for this connection. For example, if a subscriber initiates a connection from port 80, the Citrix ADC appliance can allocate port 100 as the NAT port for this connection.

      This parameter applies to dynamic NAT without port block allocation. It also applies to Deterministic NAT if the range of ports allocated includes well-known ports.

      When all the well-known ports of all the available NAT IP addresses are used in different subscribers connections (LSN sessions), and a subscriber initiates a connection from a well- known port, the Citrix ADC appliance drops this connection.

      Possible values: ENABLED, DISABLED

      Default value: DISABLED

    • syncheck

      Silently drop any non-SYN packets for connections for which there is no LSN-NAT session present on the Citrix ADC appliance.

      If you disable this parameter, the Citrix ADC appliance accepts any non-SYN packets and creates a new LSN session entry for this connection.

      Following are some reasons for the Citrix ADC appliance to receive such packets:

      • LSN session for a connection existed but the Citrix ADC appliance removed this session because the LSN session was idle for a time that exceeded the configured session timeout.
      • Such packets can be a part of a DoS attack.

      Possible values: ENABLED, DISABLED

      Default value: ENABLED

Parameter Descriptions (of commands listed in the CLI procedure)

  • add lsn appsprofile

    • appsprofilename

      Name for the LSN application profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the LSN application profile is created. The following requirement applies only to the CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “lsn application profile1” or ‘lsn application profile1’).

      This is a mandatory argument. Maximum Length: 127

    • transportprotocol

      Name of the protocol for which the parameters of this LSN application profile applies.

      This is a mandatory argument.

      Possible values: TCP, UDP, ICMP

    • ippooling

      NAT IP address allocation options for sessions associated with the same subscriber.

      Available options function as follows:

      • Paired—The Citrix ADC appliance allocates the same NAT IP address for all sessions associated with the same subscriber. When all the ports of a NAT IP address are used in LSN sessions (for same or multiple subscribers), the Citrix ADC appliance drops any new connection from the subscriber.
      • Random—The Citrix ADC appliance allocates random NAT IP addresses, from the pool, for different sessions associated with the same subscriber.

      This parameter is applicable to dynamic NAT allocation only.

      Possible values: PAIRED, RANDOM

      Default value: RANDOM

    • mapping

      Type of LSN mapping to apply to subsequent packets originating from the same subscriber IP address and port.

      Consider an example of an LSN mapping that includes the mapping of the subscriber IP:port (X:x), NAT IP:port (N:n), and external host IP:port (Y:y).

      Available options function as follows:

      • ENDPOINT-INDEPENDENT—Reuse the LSN mapping for subsequent packets sent from the same subscriber IP address and port (X:x) to any external IP address and port.
      • ADDRESS-DEPENDENT—Reuse the LSN mapping for subsequent packets sent from the same subscriber IP address and port (X:x) to the same external IP address (Y), regardless of the external port.
      • ADDRESS-PORT-DEPENDENT—Reuse the LSN mapping for subsequent packets sent from the same internal IP address and port (X:x) to the same external IP address and port (Y:y) while the mapping is still active.

      Possible values: ENDPOINT-INDEPENDENT, ADDRESS-DEPENDENT, ADDRESS-PORT-DEPENDENT

      Default value: ADDRESS-PORT-DEPENDENT

    • filtering

      Type of filter to apply to packets originating from external hosts.

      Consider an example of an LSN mapping that includes the mapping of subscriber IP:port (X:x), NAT IP:port (N:n), and external host IP:port (Y:y).

      Available options function as follows:

      • ENDPOINT INDEPENDENT—Filters out only packets not destined to the subscriber IP address and port X:x, regardless of the external host IP address and port source (Z:z). The Citrix ADC appliance forwards any packets destined to X:x. In other words, sending packets from the subscriber to any external IP address is sufficient to allow packets from any external hosts to the subscriber.
      • ADDRESS DEPENDENT—Filters out packets not destined to subscriber IP address and port X:x. In addition, the appliance filters out packets from Y:y destined for the subscriber (X:x) if the client has not previously sent packets to Y:anyport (external port independent). In other words, receiving packets from a specific external host requires that the subscriber first send packets to that specific external host’s IP address.
      • ADDRESS PORT DEPENDENT (the default)—Filters out packets not destined to subscriber IP address and port (X:x). In addition, the Citrix ADC appliance filters out packets from Y:y destined for the subscriber (X:x) if the subscriber has not previously sent packets to Y:y. In other words, receiving packets from a specific external host requires that the subscriber first send packets first to that external IP address and port.

      Possible values: ENDPOINT-INDEPENDENT, ADDRESS-DEPENDENT, ADDRESS-PORT-DEPENDENT

      Default value: ADDRESS-PORT-DEPENDENT

    • tcpproxy

      Enable TCP proxy, which enables the Citrix ADC appliance to optimize the TCP traffic by using Layer 4 features.

      Possible values: ENABLED, DISABLED

      Default value: DISABLED

    • td

      ID of the traffic domain through which the Citrix ADC appliance sends the outbound traffic after performing LSN.

      If you do not specify an ID, the appliance sends the outbound traffic through the default traffic domain, which has an ID of 0.

      Default value: 65535

      Maximum value: 65535

Parameter Descriptions (of commands listed in the CLI procedure)

  • bind lsn appsprofile

    • appsprofilename

      Name for the LSN application profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the LSN application profile is created. The following requirement applies only to the CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “lsn application profile1” or ‘lsn application profile1’).

      This is a mandatory argument. Maximum Length: 127

    • lsnport

      Port numbers or range of port numbers to match against the destination port of the incoming packet from a subscriber. When the destination port is matched, the LSN application profile is applied for the LSN session. Separate a range of ports with a hyphen. For example, 40-90.

Parameter Descriptions (of commands listed in the CLI procedure)

  • add lsn group

    • groupname

      Name for the LSN group. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the LSN group is created. The following requirement applies only to the CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “lsn group1” or ‘lsn group1’).

      This is a mandatory argument. Maximum Length: 127

    • clientname

      Name of the LSN client entity to be associated with the LSN group. You can associate only one LSN client entity with an LSN group. You cannot remove this association or replace with another LSN client entity once the LSN group is created.

      This is a mandatory argument. Maximum Length: 127

    • nattype

      Type of NAT IP address and port allocation (from the bound LSN pools) for subscribers:

      Available options function as follows:

      • Deterministic—Allocate a NAT IP address and a block of ports to each subscriber (of the LSN client bound to the LSN group). The Citrix ADC appliance sequentially allocates NAT resources to these subscribers. The Citrix ADC appliance assigns the first block of ports (block size determined by the port block size parameter of the LSN group) on the beginning NAT IP address to the beginning subscriber IP address. The next range of ports is assigned to the next subscriber, and so on, until the NAT address does not have enough ports for the next subscriber. In this case, the first port block on the next NAT address is used for the subscriber, and so on. Because each subscriber now receives a deterministic NAT IP address and a block of ports, a subscriber can be identified without any need for logging. For a connection, a subscriber can be identified based only on the NAT IP address and port, and the destination IP address and port.
      • Dynamic—Allocate a random NAT IP address and a port from the LSN NAT pool for a subscriber’s connection. If port block allocation is enabled (in LSN pool) and a port block size is specified (in the LSN group), the Citrix ADC appliance allocates a random NAT IP address and a block of ports for a subscriber when it initiates a connection for the first time. The appliance allocates this NAT IP address and a port (from the allocated block of ports) for different connections from this subscriber. If all the ports are allocated (for different subscribers connections) from the subscribers allocated port block, the appliance allocates a new random port block for the subscriber.

      Possible values: DYNAMIC, DETERMINISTIC

      Default value: DYNAMIC

    • portblocksize

      Size of the NAT port block to be allocated for each subscriber.

      To set this parameter for Dynamic NAT, you must enable the port block allocation parameter in the bound LSN pool. For Deterministic NAT, the port block allocation parameter is always enabled, and you cannot disable it.

      In Dynamic NAT, the Citrix ADC appliance allocates a random NAT port block, from the available NAT port pool of an NAT IP address, for each subscriber. For a subscriber, if all the ports are allocated from the subscribers allocated port block, the appliance allocates a new random port block for the subscriber.

    • logging

      Log mapping entries and sessions created or deleted for this LSN group. The Citrix ADC appliance logs LSN sessions for this LSN group only when both logging and session logging parameters are enabled.

      The appliance uses its existing syslog and audit log framework to log LSN information. You must enable global level LSN logging by enabling the LSN parameter in the related NSLOG action and SYLOG action entities. When the Logging parameter is enabled, the Citrix ADC appliance generates log messages related to LSN mappings and LSN sessions of this LSN group. The appliance then sends these log messages to servers associated with the NSLOG action and SYSLOG actions entities.

      A log message for an LSN mapping entry consists of the following information:

      • NSIP address of the Citrix ADC appliance
      • Time stamp
      • Entry type (MAPPING or SESSION)
      • Whether the LSN mapping entry is created or deleted
      • Subscriber’s IP address, port, and traffic domain ID
      • NAT IP address and port
      • Protocol name
      • Destination IP address, port, and traffic domain ID might be present, depending on the following conditions:
        • Destination IP address and port are not logged for Endpoint-Independent mapping
        • Only Destination IP address (and not port) is logged for Address-Dependent mapping
        • Destination IP address and port are logged for Address-Port-Dependent mapping

      Possible values: ENABLED, DISABLED

      Default value: DISABLED

    • sessionLogging

      Log sessions created or deleted for the LSN group. The Citrix ADC appliance logs LSN sessions for this LSN group only when both logging and session logging parameters are enabled.

      A log message for an LSN session consists of the following information:

      • NSIP address of the Citrix ADC appliance
      • Time stamp
      • Entry type (MAPPING or SESSION)
      • Whether the LSN session is created or removed
      • Subscriber’s IP address, port, and traffic domain ID
      • NAT IP address and port
      • Protocol name
      • Destination IP address, port, and traffic domain ID

      Possible values: ENABLED, DISABLED

      Default value: DISABLED

    • sessionSync

      In a high availability (HA) deployment, synchronize information of all LSN sessions related to this LSN group with the secondary node. After a failover, established TCP connections and UDP packet flows are kept active and resumed on the secondary node (new primary).

      For this setting to work, you must enable the global session synchronization parameter.

      Possible values: ENABLED, DISABLED

      Default value: ENABLED

    • snmptraplimit

      Maximum number of SNMP Trap messages that can be generated for the LSN group in one minute.

      Default value: 100

      Minimum value: 0

      Maximum value: 10000

    • ftp

      Enable Application Layer Gateway (ALG) for the FTP protocol. For some application-layer protocols, the IP addresses and protocol port numbers are usually communicated in the packets payload. When acting as an ALG, the appliance changes the packets payload to ensure that the protocol continues to work over LSN.

      Note: The Citrix ADC appliance also includes ALG for ICMP and TFTP protocols. ALG for the ICMP protocol is enabled by default, and there is no provision to disable it. ALG for the TFTP protocol is disabled by default. ALG is enabled automatically for an LSN group when you bind a UDP LSN application profile, with endpoint-independent-mapping, endpoint-independent filtering, and destination port as 69 (well-known port for TFTP), to the LSN group.

      Possible values: ENABLED, DISABLED

      Default value: ENABLED

Parameter Descriptions (of commands listed in the CLI procedure)

  • bind lsn group

    • groupname

      Name for the LSN group. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the LSN group is created. The following requirement applies only to the CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “lsn group1” or ‘lsn group1’).

      This is a mandatory argument. Maximum Length: 127

    • poolname

      Name of the LSN pool to bind to the specified LSN group. Only LSN Pools and LSN groups with the same NAT type settings can be bound together. Multiples LSN pools can be bound to an LSN group.

      For Deterministic NAT, pools bound to an LSN group cannot be bound to other LSN groups. For Dynamic NAT, pools bound to an LSN group can be bound to multiple LSN groups. Maximum Length: 127

    • transportprofilename

      Name of the LSN transport profile to bind to the specified LSN group. Bind a profile for each protocol for which you want to specify settings.

      By default, one LSN transport profile with default settings for TCP, UDP, and ICMP protocols is bound to an LSN group during its creation. This profile is called a default transport.

      An LSN transport profile that you bind to an LSN group overrides the default LSN transport profile for that protocol. Maximum Length: 127

    • appsprofilename

      Name of the LSN application profile to bind to the specified LSN group. For each set of destination ports, bind a profile for each protocol for which you want to specify settings.

      By default, one LSN application profile with default settings for TCP, UDP, and ICMP protocols for all destination ports is bound to an LSN group during its creation. This profile is called a default application profile.

      When you bind an LSN application profile, with a specified set of destination ports, to an LSN group, the bound profile overrides the default LSN application profile for that protocol at that set of destination ports. Maximum Length: 127