ADC

Logging and Monitoring Large Scale NAT64

You can log large scale NAT64 information to diagnose and troubleshoot problems, and to meet legal requirements. You can monitor the performance of the large scale NAT64 deployment by using statistical counters and displaying the related current sessions.

Logging Large Scale NAT64

Logging large scale NAT64 information is required for ISPs to meet legal requirements and identify the source of traffic at any given time.

A log message for a large scale NAT64 mapping entry consists of the following information:

  • Citrix ADC owned IP address (NSIP address or SNIP address) from which the log message is sourced.
  • Time stamp.
  • Entry type (MAPPING).
  • Whether the mapping entry was created or deleted.
  • Subscriber’s IP address, port, and traffic domain ID.
  • NAT IP address and port.
  • Protocol name.
  • Destination IP address, port, and traffic domain ID might be present, depending on the following conditions:
    • Destination IP address and port are not logged for endpoint-independent mapping.
    • Only the destination IP address is logged for address-dependent mapping. The port is not logged.
    • Destination IP address and port are logged for address-port-dependent mapping.

A log message for a large scale NAT64 session consists of the following information:

  • Citrix ADC owned IP address (NSIP address or SNIP address) from which the log message is sourced
  • Time stamp
  • Entry type (SESSION)
  • Whether the session is created or removed
  • Subscriber’s IP address, port, and traffic domain ID
  • NAT IP address and port
  • Protocol name
  • Destination IP address, port, and traffic domain ID

The following table displays sample large scale NAT64 log entries of each type stored on the configured log servers. The log entries show that a subscriber whose IPv6 address is 2001:db8:5001::9 was connected to destination IP:port 23.0.0.1:80 through NAT IP:port 203.0.113.63:45195 on April 7, 2016, from 14:07:57 GMT to 14:10:59 GMT.

Log Entry Type Sample Log Entry
Session Creation 04/07/2016:14:07:57 GMT  Informational 0-PPE-10 : default LSN LSN_SESSION 5532 0 :  SESSION CREATED Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP
Mapping Creation 04/07/2016:14:07:57 GMT  Informational 0-PPE-10 : default LSN LSN_ADDR_MAPPING 5533 0 :  ADM CREATED Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:TD 23.0.0.1:80, Protocol: TCP
Session Deletion 04/07/2016:14:10:59 GMT  0-PPE-10 : default LSN LSN_SESSION 25012 0 :  SESSION DELETED Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP
Mapping Deletion 04/07/2016:14:10:59 GMT 0-PPE-10 : default LSN LSN_ADDR_MAPPING 25013 0 : ADM DELETED Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP

Configuration Steps

You can configure logging of large scale NAT64 information for a large scale NAT64 configuration by setting the LSN groups’s logging and session logging parameters. These are group level parameters and are disabled by default. The Citrix ADC appliance logs large scale NAT64 sessions for an LSN group only when both logging and session logging parameters are enabled.

The following table displays the logging behavior for an LSN group for various settings of logging and session logging parameters.

Logging Session Logging Logging Behavior
Enabled Enabled Logs LSN mapping entries as well as LSN sessions
Enabled Disabled Logs LSN mapping entries but not LSN sessions
Disabled Enabled Logs neither mapping entries nor LSN sessions

To log large scale NAT64 information by using the CLI

To set the logging and session logging parameters while adding an LSN group, at the command prompt, type:

add lsn group <groupname> -clientname <string> [-logging (ENABLED|DISABLED)] [-sessionLogging (ENABLED|DISABLED)]

show lsn group
<!--NeedCopy-->

To set the logging and session logging parameters for an existing LSN group, at the command prompt, type:

set lsn group <groupname> [-logging (ENABLED|DISABLED)] [-sessionLogging (ENABLED|DISABLED)]

show lsn group
<!--NeedCopy-->

Sample Configuration

In this example of large scale NAT64 configuration, logging and session logging paramters are enabled for LSN group LSN-NAT64-GROUP-1.

The Citrix ADC appliance logs large scale NAT64 session and mapping information for connections from subscribers (in the network 2001:DB8:5001::/96).

Sample configuration:

add lsn client LSN-NAT64-CLIENT-1 Done
Done
bind lsn client LSN-NAT64-CLIENT-1 -network6 2001:DB8:5001::/96
Done
add lsn pool LSN-NAT64-POOL-1
Done
bind lsn pool LSN-NAT64-POOL-1 203.0.113.61 - 203.0.113.70
Done
add lsn ip6profile LSN-NAT64-PROFILE-1 -type NAT64 -natprefix 2001:DB8:300::/96
Done
add lsn group LSN-NAT64-GROUP-1 -clientname LSN-NAT64-CLIENT-1  -ip6profile LSN-NAT64-PROFILE-1  -logging ENABLED -sessionLogging ENABLED
Done
bind lsn group LSN-NAT64-GROUP-1 -poolname LSN-NAT64-POOL-1
Done
<!--NeedCopy-->

Logging MSISDN Information for Large Scale NAT64

A Mobile Station Integrated Subscriber Directory Number (MSISDN) is a telephone number uniquely identifying a subscriber across multiple mobile networks. The MSISDN is associated with a country code and a national destination code identifying the subscriber’s operator.

You can configure a Citrix ADC appliance to include MSISDNs in large scale NAT64 LSN log entries for subscribers in mobile networks. The presence of MSISDNs in the LSN logs facilitates faster and accurate back tracing of a mobile subscriber who has violated a policy or law, or whose information is required by lawful interception agencies.

The following sample LSN log entries include MSISDN information for a connection from a mobile subscriber in an LSN configuration. The log entries show that a mobile subscriber whose MSISDN is E164:5556543210 and IPv6 address is 2001:db8:5001::9 was connected to destination IP:port 23.0.0.1:80 through the NAT IP:port 203.0.113.63:45195 on April 7, 2016, from 14:07:57 GMT to  14:10:59 GMT.

Log Entry Type Sample Log Entry
Session Creation 04/07/2016:14:07:57 GMT  Informational 0-PPE-10 : default LSN LSN_SESSION 5532 0 :  SESSION CREATED E164:5556543210 Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP
Mapping Creation 04/07/2016:14:07:57 GMT  Informational 0-PPE-10 : default LSN LSN_ADDR_MAPPING 5533 0 :  ADM CREATED E164:5556543210 Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:TD 23.0.0.1:80, Protocol: TCP
Session Deletion 04/07/2016:14:10:59 GMT  0-PPE-10 : default LSN LSN_SESSION 25012 0 :  SESSION DELETED E164:5556543210 Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP
Mapping Deletion 04/07/2016:14:10:59 GMT 0-PPE-10 : default LSN LSN_ADDR_MAPPING 25013 0 : ADM DELETED E164:5556543210 Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP

Configuration Steps

Perform the following tasks for including MSISDN information in LSN logs:

  • Create an LSN log profile. An LSN log profile includes the log subscriber ID parameter, which specifies whether to or not to include the MSISDN information in the LSN logs of an LSN configuration.
  • Bind the LSN log profile to an LSN group of an LSN configuration.Bind the created LSN log profile to an LSN group of an LSN configuration by setting the log profile name parameter to the created LSN log profile name. MSISDN information is included in all LSN logs related to mobile subscribers of this LSN group.

To create an LSN log profile by using the CLI

At the command prompt, type:

add lsn logprofile <logprofilename> -logSubscriberID ( ENABLED | DISABLED )

show lsn logprofile
<!--NeedCopy-->

To bind an LSN log profile to an LSN group of an NAT64 LSN configuration by using the CLI

At the command prompt, type:

bind lsn group <groupname>  -logProfileName <lsnlogprofilename>

show lsn group
<!--NeedCopy-->

Sample Configuration

In this example of NAT64 LSN configuration, the LSN log profile LOG-PROFILE-MSISDN-1 has the log subscriber ID parameter enabled. LOG-PROFILE-MSISDN-1 is bound to LSN group LSN-NAT64-GROUP-1. MSISDN information is included in the LSN session and LSN mapping logs for connections from mobile subscribers (in network 2001:DB8:5001::/96).

add lsn logprofile  LOG-PROFILE-MSISDN-1  -logSubscriberID ENABLED
Done
add lsn client LSN-NAT64-CLIENT-1
Done
bind lsn client LSN-NAT64-CLIENT-1 -network6 2001:DB8:5001::/96
Done
add lsn pool LSN-NAT64-POOL-1
Done
bind lsn pool LSN-NAT64-POOL-1 203.0.113.61 - 203.0.113.70
Done
add lsn ip6profile LSN-NAT64-PROFILE-1 -type NAT64 -natprefix 2001:DB8:300::/96
Done
add lsn group LSN-NAT64-GROUP-1 -clientname LSN-NAT64-CLIENT-1  -ip6profile LSN-NAT64-PROFILE-1
Done
bind lsn group LSN-NAT64-GROUP-1 -poolname LSN-NAT64-POOL-1
Done
bind lsn group LSN-NAT64-GROUP-1 -logprofilename  LOG-PROFILE-MSISDN-1
Done
<!--NeedCopy-->

Compact Logging for Large Scale NAT

Logging LSN information is one of the important functions needed by ISPs to meet legal requirements and be able to identify the source of traffic at any given time. This eventually results in a huge volume of log data, requiring the ISPs to make large investments to maintain the logging infrastructure.

Compact logging is a technique for reducing the log size by using a notational change involving short codes for event and protocol names. For example, C for client, SC for session created, and T for TCP. Compact logging results in an average of 40 percent reduction in log size.

Configuration Steps

Perform the following tasks for logging LSN information in compact format:

  1. Create an LSN log profile. An LSN log profile includes the Log Compact parameter, which specifies whether to or not to log information in compact format for an LSN configuration.
  2. Bind the LSN log profile to an LSN group of an LSN configuration. Bind the created LSN log profile to an LSN group of an LSN configuration by setting the Log Profile Name parameter to the created LSN log profile name. All sessions and mappings for this LSN group are logged in compact format.

To create an LSN log profile by using the CLI

At the command prompt, type:

add lsn logprofile <logprofilename> -logCompact (ENABLED|DISABLED)

show lsn logprofile
<!--NeedCopy-->

To bind an LSN log profile to an LSN group of an LSN configuration by using the CLI

At the command prompt, type:

bind lsn group <groupname> -logProfileName <lsnlogprofilename>

show lsn group
<!--NeedCopy-->

Sample Configuration for NAT64:

add lsn logprofile  LOG-PROFILE-COMPACT-1 -logCompact ENABLED
Done
add lsn client LSN-NAT64-CLIENT-1
Done
bind lsn client LSN-NAT64-CLIENT-1 -network6 2001:DB8:5001::/96
Done
add lsn pool LSN-NAT64-POOL-1
Done
bind lsn pool LSN-NAT64-POOL-1 203.0.113.61 - 203.0.113.70
Done
add lsn ip6profile LSN-NAT64-PROFILE-1 -type NAT64 -natprefix 2001:DB8:300::/96
Done
add lsn group LSN-NAT64-PROFILE-1 -clientname LSN-NAT64-CLIENT-1  -ip6profile LSN-NAT64-PROFILE-1
Done
bind lsn group LSN-NAT64-GROUP-1 -poolname LSN-NAT64-POOL-1
Done
bind lsn group LSN-NAT64-GROUP-1 –logProfileName LOG-PROFILE-COMPACT-1
Done
<!--NeedCopy-->

Logging HTTP Header Information

The Citrix ADC appliance can log request header information of an HTTP connection that is using the Citrix ADC large scale NAT64 functionality. The following header information of an HTTP request packet can be logged:

  • URL that the HTTP request is destined to
  • HTTP Method specified in the HTTP request
  • HTTP version used in the HTTP request
  • IPv6 address of the subscriber that sent the HTTP request

The HTTP header logs can be used by ISPs to see the trends related to the HTTP protocol among a set of subscribers. For example, an ISP can use this feature to find out the most popular website among a set of subscribers.

Configuration Steps

Perform the following tasks for configuring the Citrix ADC appliance to log HTTP header information:

  • Create an HTTP header log profile. An HTTP header log profile is a collection of HTTP header attributes (for example, URL and HTTP method) that can be enabled or disabled for logging.
  • Bind the HTTP header to an LSN group of a large scale NAT64 configuration. Bind the HTTP header log profile to an LSN group of an LSN configuration by setting the HTTP header log profile name parameter to the name of the created HTTP header log profile. The Citrix ADC appliance then logs HTTP header information of any HTTP requests related to the LSN group. An HTTP header log profile can be bound to multiple LSN groups, but an LSN group can have only one HTTP header log profile.

To create an HTTP header log profile by using the the command line interface

At the command prompt, type:

add lsn httphdrlogprofile <httphdrlogprofilename> [-logURL ( ENABLED | DISABLED )] [-logMethod ( ENABLED | DISABLED )] [-logVersion ( ENABLED | DISABLED )] [-logHost ( ENABLED | DISABLED )]

show lsn httphdrlogprofile
<!--NeedCopy-->

To bind an HTTP header log profile to an LSN group by using the the command line interface

At the command prompt, type:

bind lsn group <groupname> -httphdrlogprofilename <string>

show lsn group <groupname>
<!--NeedCopy-->

Sample Configuration

add lsn httphdrlogprofile HTTP-HEADER-LOG-1
Done
add lsn client LSN-NAT64-CLIENT-1 Done
Done
bind lsn client LSN-NAT64-CLIENT-1 -network6 2001:DB8:5001::/96
Done
add lsn pool LSN-NAT64-POOL-1
Done
bind lsn pool LSN-NAT64-POOL-1 203.0.113.61 - 203.0.113.70
Done
add lsn ip6profile LSN-NAT64-PROFILE-1 -type NAT64 -natprefix 2001:DB8:300::/96
Done
add lsn group LSN-NAT64-GROUP-1 -clientname LSN-NAT64-CLIENT-1  -ip6profile LSN-NAT64-PROFILE-1
Done
bind lsn group LSN-NAT64-GROUP-1 -poolname LSN-NAT64-POOL-1
Done
bind lsn group LSN-NAT64-GROUP-1 -httphdrlogprofilename HTTP-HEADER-LOG-1
Done
<!--NeedCopy-->

Displaying Current Large Scale NAT64 Sessions

You can display the current large scale NAT64 sessions in order to detect any unwanted or inefficient sessions on the Citrix ADC appliance. You can display all or some large scale NAT64 sessions on the basis of selection parameters.

Note

When more than a million large scale NAT64 sessions exist on the Citrix ADC appliance, Citrix recommends using the selection parameters to display selected large scale NAT64 sessions instead of displaying all of them.

To display all large scale NAT64 sessions by using the command line interface

At the command prompt, type:

show lsn session –nattype NAT64
<!--NeedCopy-->

To display selective large scale NAT64 sessions by using the command line interface

At the command prompt, type:

show lsn session –nattype NAT64 [-network6 <ipv6_addr|*>] [-clientname <string>] [-natIP <ip_addr> [-natPort <port>]]
<!--NeedCopy-->

Displaying Large Scale NAT64 Statistics

You can display statistics related to large scale NAT64 module, and evaluate its performance or troubleshoot problems. You can display a summary of statistics of all large scale NAT64 configurations or of a particular large scale NAT64 configuration. The statistical counters reflect events since the Citrix ADC appliance was last restarted. All these counters are reset to 0 when the Citrix ADC appliance is restarted.

To display total statistics of large scale NAT64 by using the command line interface

At the command prompt, type:

stat lsn nat64
<!--NeedCopy-->

To display statistics for a specified large scale NAT64 configuration by using the command line interface

At the command prompt, type:

stat lsn group <groupname>
<!--NeedCopy-->

Clearing Large Scale NAT64 Sessions

You can remove any unwanted or inefficient large scale NAT64 sessions from the Citrix ADC appliance. The appliance immediately releases resources (such as NAT IP address, port, and memory) allocated for these sessions, making the resources available for new sessions. The appliance also drops all the subsequent packets related to these removed sessions. You can remove all or selected large scale NAT64 sessions from the Citrix ADC appliance.

To clear all large scale NAT64 sessions by using the command line interface

At the command prompt, type:

flush lsn session –nattype NAT64

show lsn session –nattype NAT64
<!--NeedCopy-->

To clear selective large scale NAT64 sessions by using the command line interface

At the command prompt, type:

flush lsn session –nattype NAT64 [-network6 <ipv6_addr|*>] [-clientname <string>] [-natIP <ip_addr> [-natPort <port>]]

show lsn session –nattype NAT64 [-network6 <ipv6_addr|*>] [-clientname <string>] [-natIP <ip_addr> [-natPort <port>]]
<!--NeedCopy-->

Sample configuration:

Clear all large scale NAT64 sessions existing on a Citrix ADC appliance

flush lsn session  –nattype NAT64
Done  
<!--NeedCopy-->

Clear all large scale NAT64 sessions related to client entity LSN-NAT64-CLIENT-1

flush lsn session –nattype NAT64 -clientname LSN-NAT64-CLIENT-1
Done  
<!--NeedCopy-->

Clear all large scale NAT64 sessions related to a subscriber network (2001:DB8:5001::/96) of LSN client entity LSN-NAT64-CLIENT-2

flush lsn session –nattype NAT64 –network6 2001:DB8:5001::/96 -clientname LSN-NAT64-CLIENT-2
Done
<!--NeedCopy-->

IPFIX Logging

The Citrix ADC appliance supports sending information about LSN events in Internet Protocol Flow Information Export (IPFIX) format to the configured set of IPFIX collector(s). The appliance uses the existing AppFlow feature to send LSN events in IPFIX format to the IPFIX collectors.

IPFIX based logging is available for the following NAT64 related events:

  • Creation or deletion of an LSN session.
  • Creation or deletion of an LSN mapping entry.
  • Allocation or de-allocation of port blocks in the context of deterministic NAT.
  • Allocation or de-allocation of port blocks in the context of dynamic NAT.
  • Whenever subscriber session quota is exceeded.

Points to Consider before you Configure IPFIX logging

Before you start configuring IPSec ALG, consider the following points:

Configuration Steps

Perform the following tasks for logging LSN information in IPFIX format:

  • Enable LSN logging in the AppFlow configuration. Enable the LSN logging parameter as part of AppFlow configuration.
  • Create an LSN log profile. An LSN log profile includes the IPFIX parameter that enables or disables the log information in IPFIX format.
  • Bind the LSN log profile to an LSN group of an LSN configuration. Bind the LSN log profile to one or multiple LSN group(s). Events related to the bound LSN group will be logged in IPFIX format.

To enable LSN logging in the AppFlow configuration by using the CLI

At the command prompt, type:

set appflow param -lsnLogging ( ENABLED | DISABLED )

show appflow param
<!--NeedCopy-->

To create an LSN log profile by using the CLIAt the command prompt, type

At the command prompt, type:

set lsn logprofile <logProfileName>  -logipfix ( ENABLED | DISABLED )

show lsn logprofile
<!--NeedCopy-->

To bind the LSN log profile to an LSN group of an LSN configuration by using the CLI

At the command prompt, type:

bind lsn group <groupname>  -logProfileName <lsnlogprofilename>

show lsn group
<!--NeedCopy-->

To create an LSN log profile by using the GUI

Navigate to System > Large Scale NAT > Profiles, click Log tab, and then add a log profile.

To bind the LSN log profile to an LSN group of an LSN configuration by using the GUI

  1. Navigate to System > Large Scale NAT > LSN Group, open the LSN group.
  2. In Advanced Settings, click + Log Profile to bind the created Log profile to the LSN group.