Balance across LSN pools
When using CGNAT and multiple LSN pools are attached to a virtual server, BIG-Ip does not attempt to balance across the LSN pools. Balancing across LSN pools may be desirable in certain situations, such as where the pools correspond to different ISPs. This iRule provides balancing across LSN pools, using an algorithm similar to CARP to statelessly persist clients to pools (this doesnot replace the persistence function of the LSN pools). The iRule contains documentation and offers debugging if needed. You must configure the names of the LSN pools correctly - if the configuration section contains invalid pool names, some connections will be terminated. If this happens an error with the invalid pool name will be logged in /var/log/ltm # lsn-balance # This iRule is intended to balance between two or more LSN pools, with # approximately equal use of all pools # This uses an algorithm similar to CARP to persist clients to pools without # using expensive "table" calls when RULE_INIT { # Configures the names of the LSN pools set static::lsn_balance_pools { "/Common/LSN_split_1" "/Common/LSN_split_2" "/Common/LSN_split_3" } # Enable/disable debugging # 0 = disable, 1 = enable set static::lsn_balance_debug 0 ##### # No configuration past this point ##### # Save an "llength" call per connection set static::lsn_balance_pool_count [llength $static::lsn_balance_pools] } when CLIENT_ACCEPTED { if {$static::lsn_balance_debug} { # More readable version with intermediate vars for debugging # Fetch the client IP set client_ip [IP::client_addr] # Derive the hash we'll use for pool selection from client IP set lsn_select_hash [fasthash $client_ip] # Choose the list index based on hash - hash modulo length of pool list set lsn_select_index [ expr {$lsn_select_hash % $static::lsn_balance_pool_count} ] # Select pool from list of pools and use it set lsn_select_pool [lindex $static::lsn_balance_pools $lsn_select_index] # debug log local0. "lsn-balance: client: $client_ip pool: $lsn_select_pool hash: $lsn_select_hash index: $lsn_select_index" # Set pool selection LSN::pool $lsn_select_pool } else { # "one-line" version, equivalent to above # optimized by avoiding use of intermediate vars # but harder to read and offers no debugging LSN::pool [ lindex $static::lsn_balance_pools [ expr { [fasthash [IP::client_addr]] % $static::lsn_balance_pool_count } ] ] } }
CGNAT with DS-lite and LSN
Hey, so we have setup DS-Lite with CGNAT according to this in our lab: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/cgn-implementations-11-5-0/14.html Running version 17.1.1.1. Interface setup: ipv4.selfip 192.168.245.245/24(external if, ipv4.vlan) ipv6_INET-selfip 2001:2040:c000:1:f5f5:f5f5:f5f5:f5f5/64(client facing, ip6_INET.vlan) ds.selfip 192.0.0.1/24( ds-tunnel) CGNAT VS created according to above tech-doc. LSN- Pool created with: NAPT Persistance: Address Port Persistance Timeout: 30 (for testing) Inbound Connections: Automatic ICMP Echo: enabled Egress interfaces: ipv4.vlan Members list: 172.16.0.4/30 DS-tunnel created with: Profile dslite Local Address: same as ipv6_INET-selfip Remote Address Any The NAT-process works fine, the traffic comes in and gets NAT:ed to the pool (i.e. 172.16.0.4). The traffic also reaches the target, in this case 192.168.245.240. This endpoint in turn has a return-route for traffic back to the F5 for the 172.16.0.4/30 network. So it responds to the traffic, however here is where we hit the curb. The F5 simply resets the traffic once recieving the syn ack, "internal error sending packet to peer". So it's like it has forgotten the fact that it did the NAT. However when verifying "tmsh show sys connection all-properties" we can see both the IPv6 and IPv4 connections. Does anyone have any tips and tricks for this? Are we missing something? /Ted
CGNAT and IP forwarding Simultaneously for exception flows
I have scenario according to the diagram using VIPRIOM 2400 platform as CGNAT solution. I'm using CGNAT for translating our clients(SRC: 100.64.0.0/10) for Internet access. In our regular scenario F5 box translate client address for both Internet access and our internal servers. Now we have a situation where we need our clients connected to an internal web-server(172.16.1.1) with their actual IP address(100.64.0.0/10)). for this purpose I created two 'IP forwarding' matching web-server IP address in each direction. the point is I've Created CGNAT virtual server for Internet access and LTM Virtual server for matching traffic to/from local web server. Clients Internet access which works without any problem. but It seems web-server virtual server doesn't match with any traffic. ltm virtual CGNAT-BRAS--ACCESS-01 { description CGNAT-BRAS--ACCESS-01 destination 0.0.0.0%101:any mask any profiles { CGNAT-L4 { } } source 100.64.0.0%101/10 source-address-translation { pool CGNAT-ACCESS-01 type lsn } translate-address disabled translate-port disabled vlans { VLAN-40 } vlans-enabled vs-index 26 } ltm profile fastl4 CGNAT-L4 { app-service none defaults-from fastL4 loose-close enabled loose-initialization enabled reassemble-fragments enabled reset-on-timeout disabled } ltm virtual local-web-forwarding-client-side { destination 172.16.1.1%101:any l2-forward mask 255.255.255.255 profiles { Forwarding_VS { } } source 100.64.0.0%101/10 translate-address enabled translate-port disabled vlans { VLAN-40 } vlans-enabled vs-index 46 } ltm virtual local-web-forwarding-network-side { destination 100.64.0.0%101:any ip-forward mask 255.192.0.0 profiles { Forwarding_VS { } } source 172.16.1.1%101/32 translate-address disabled translate-port disabled vlans { VLAN-41 } vlans-enabled vs-index 47 } ltm profile fastl4 Forwarding_VS { app-service none defaults-from fastL4 idle-timeout 300 loose-initialization enabled reset-on-timeout disabled }Getting the outside-to-inside NAT mapping using iControl
Trying to map an outside IP to an inside IP. I can get mappings the other way around, that is inside-to-outside, using get_active_connection_v2 . The inside address is cs-client-addr and the outside is ss-client-addr . I can use cs-client-addr as a parameter in get_active_connection_v2 , but not ss-client-addr . Example: show /sys connection ss-client-addr 197.72.211.61 Sys::Connections 172.25.46.124%4:62262 107.21.224.38%4:443 197.72.211.61:1064 107.21.224.38:443 tcp 119 (slot/tmm: 1/0) none >>>import bigsuds >>>b.System.Connections.get_active_connection_v2(cs_client, cs_server, protocol, ss_server) [ { "clientside_bytes_in": { "high": 0, "low": 116 }, "clientside_bytes_out": { "high": 0, "low": 60 }, "clientside_packets_in": { "high": 0, "low": 2 }, "clientside_packets_out": { "high": 0, "low": 1 }, "connection_id": { "clientside_client": { "address": "172.25.46.124%4", "port": 62262 }, "clientside_server": { "address": "107.21.224.38%4", "port": 443 }, "protocol": "PROTOCOL_TCP", "serverside_server": { "address": "107.21.224.38", "port": 443 } }, "idle_time": 213, "idle_timeout": 213, "lasthop_info": "/Common/VLAN_4708 2c:11:62:75:b5:c1", "serverside_bytes_in": { "high": 0, "low": 60 }, "serverside_bytes_out": { "high": 0, "low": 116 }, "serverside_client": { "address": "197.72.211.61", "port": 1064 }, "serverside_packets_in": { "high": 0, "low": 1 }, "serverside_packets_out": { "high": 0, "low": 2 }, "traffic_group": "/Common/traffic-group-1", "virtual_path": { "address": "0.0.0.0", "port": 0 } } ] Thanks in advance!
BIG-IP CGNAT - VLAN CMP Hash
Hello Devs! How is everybody doing? I'm trying to wrap my head around a requirement for the CGNAT module. Currently, it's mandatory that, for the CGNAT using PBA LSN pools, that the ingress VLAN uses the VLAN CMP hash as source address and the egress VLAN uses destination as the cmp hash. I understand what the CMP hash does but on an environment where the BIG-IP is the CGNAT device and routes to the internet, every time a new client connects, it will use ephemeral ports as the source and different destination IPs as the destination, so the default cmp hash would/should do the trick. But if I don't set the cmp hash correctly, I get some error on /var/lo/ltm. Feb 6 14:54:01 bigip1 err tmm[31839]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/lsn_pool_rd10) mode PBA on interface /Common/F5_BACKBONE Feb 6 14:54:53 bigip1 err tmm[31839]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/lsn_pool_rd10) mode PBA on interface /Common/F5_BACKBONE I just wanted to understand the why of this. Thanks, Rafael.BIG-IP CGNAT Module - General Questions
Hello Devs! We're deploying a high performance VE running only the CGNAT module. Our client asked some tricky questions that I could not find the answer on the documentation. Could you guys have a try at them? We are running v14.1.0. 1- On the LSN pool, running on PBA mode, when you configure the member prefix IPs as a /24 for example, how does the BIG-IP chooses which IP to use under the prefix? Is it random? Is there some rule? For example: ltm lsn-pool pool_CGNAT_GPON-4711 { egress-interfaces { VLAN889_TRANSITO-OUT-GPON } egress-interfaces-enabled members { 200.200.200.0%4712/24 } mode pba port-block-allocation { block-idle-timeout 900 block-size 512 client-block-limit 2 } route-advertisement enabled } In this example, which IP would the first client be translated to? 200.200.200.1? 200.200.200.5? What I saw so far is pretty much random, but I don't know if the subscriber internal IPs plays on some kind of hashing... Any thoughts? 2- What happens if a CGNAT subscriber stays connected and generating steady traffic regarding logs. When the subscriber hits the BIG-IP for the first time, BIG-IP allocates a block for it and logs a LSN-ALLOCATE event. If this same subscriber stays connected and with steady traffic flow (and my pool do not hame a lifetime configured), for many days, we would not see the LSN-RELEASE event log message. Our client wanted to know if there's some kind of update log message, that sends a message every X amount of time, to kind of reiterate that this specific subscriber still have that IP. This is necessary for auditing purposes. Very tricky question, I know. Thanks, Rafael
TMM memory leaking due to log publisher configuration
Hi dears I use F5 CGNAT module and I define a log publisher on F5 for remote logging. I have memory leaking problem: tmm memory increase during the time. F5 version: 14.1.2.3 picture1: https://ibb.co/YDN88Bz After analyzing "show sys memory" output we notice that memory leaking is because of Log profile: picture2: https://ibb.co/4m3snGt For troubleshooting I look at logs in tmm using "# cat /var/log/tmm" and notice that there are a lot of logs telling here is a problem with publisher: # cat /var/log/tmm <13> Jul 7 03:51:24 slot1/f5-one notice alg_hs_log_alg_event/1190: errdefs publisher log failure <13> Jul 7 03:51:24 slot1/f5-one notice alg_hs_log_alg_event/1190: errdefs publisher log failure <13> Jul 7 03:51:24 slot1/f5-one notice alg_hs_log_alg_event/1190: errdefs publisher log failure . . Now the question is: How can I analyze these logs and find solution for tmm memory leaking? Any one knows "logger" tool ? or Someone has encountered this problem before? We have this problem for a long time. And it has not been resolved by updating the version. picture3: https://ibb.co/R9dYLdM picture4: https://ibb.co/nfYJvd0 Sys::Provision ModuleCPU (%)Memory (MB)Host-Memory (MB)Disk (MB) --------------------------------------------------------- afm0000 am0000 apm0000 asm0000 avr118887687800 dos0000 fps0000 gtm0000 host10200300527856 ilx10121020 lc0000 ltm1000 pem0000 sslo0000 swg0000 tmos87424787000 urldb0000 vcmp0000 thanks.
H.323 ALG iApps
Problem this snippet solves: This iApps creates H.323 ALG configuration including virtual servers, iRules, LSN pools, etc. This H.323 ALG is implemented using iRules (Tcl). It makes use of new CGNAT ALG Toolkit iRules primitive available in BIG-IP 14.1. The configuration consists of virtual server which intercept H.225 RAS (Registration, Admission, and Status) traffic. The ALG will extract information from H.225 traffic and start listeners for H.225 CS (call signaling) as necessary. The ALG will follow H.245 connection created by H.225 CS if there is any. It will also create flows for media connections based on negotiation happened in H.245 protocol level. The ALG can also intercept H.225 CS call which happens without H.225 RAS. Note that this iApps only support public vlan that is in route-domain 0 (default). How to use this snippet: This H.323 ALG iApps supports 2 main use cases 1. NAT44 2. 464XLAT Note that vlan, route, IP address configuration are not included in the iApps. They may be configured prior to create the application. For vlans, some NAT mode may requires specific cmp-hash mode, for example, PBA and DNAT require cmp-hash as src-ip on private side and cmp-hash as dst-ip on public side. Configuration for NAT44 and 464XLAT use cases are separated. Configuration objects (including virtual servers, LSN pool, etc) will be created separately and are not shared. Both options can be enabled in the same application. * * * To create application for NAT44 use case (see image below), select "yes" in "Enabled H.323 ALG for NAT44" section. Then enter information for private and public side. For private side, add virtual server to intercept H.225 RAS and H.225 CS (enter vlan, route-domain, port). Enter "allowed source" subnet information. To support hairpin call, select "yes" to "Create wildcard virtual..." option if there is no existing wildcard virtual that matches hairpin traffic. For public side, select public vlan, enter LSN pool member addresses and configure translation mode. * * * To create application for 464XLAT use case (see image below), select "yes" in "Enabled H.323 ALG for 464XLAT" section. Follow the same instruction as NAT44 use case. However, use appropriate IPv6 address as needed. The 464XLAT use case also require NAT64 prefix as BIG-IP acts as a PLAT. * * * In addition to configuration sections for NAT44 and 464XLAT use case. There are sections for Advance, Logging and Debug options (see image below). For "Advance Options" section: * Enforce no H.245 Tunnelling : select yes if you want ALG to try to prevent H.245 tunnelling in H.225 CS * Enforce no FastStart : select yes if you want ALG to try to prevent FastStart to be used * Choose action for ALG to take when iRules receives message it could not decode For "Logging Options" section: * Set LSN log destination : choose either to write log to local syslog or none For "Debug Options" section, enable debug log on categories of interest. Note that "per" debug log may produce very detail log information. Debug log option may only be enabled at no load. This iApps is created on "Wed May 09 04:45:14 GMT 2018" Tested this on version: No Version FoundProblem between F5 CGNAT and Graylog Server
Dear F5 Community, I have F5 model Model: BIG-IP i7600 with version: Version: 14.1.0.3 Build 0.0.6 running as CGNAT. And I installed Graylog server version: 3.0 free edition to receive the LSN CGNAT logs. I followed document below to send the CGNAT logs from F5 CGNAT to the Graylog server as HSL, but Graylog can not receive the CGNAT logs from F5. https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-cgnat-implementations-14-0-0/using-cgnat-logging-and-subscriber-traceability.html Everyone used to have such experience? and how to solve the issue? Please kindly advise. Thank you.Does anyone did traffic logging?
Hi guys I`m searching method which can logging or inspecting traffic information. Target license are LTM and CGNAT. I have looking for Telemetry streaming but that seems providing sampling information. I need full traffic information not sampling data. also don`t need mirroring. I think using i-Rule with HSL can be a method but I`m wondering how much traffic can be logging. -> how much means about CPS 150K. -> and BIGIP`s disk can be able to hold the logs.
