H.323 ALG iApps
Problem this snippet solves: This iApps creates H.323 ALG configuration including virtual servers, iRules, LSN pools, etc. This H.323 ALG is implemented using iRules (Tcl). It makes use of new CGNAT ALG Toolkit iRules primitive available in BIG-IP 14.1. The configuration consists of virtual server which intercept H.225 RAS (Registration, Admission, and Status) traffic. The ALG will extract information from H.225 traffic and start listeners for H.225 CS (call signaling) as necessary. The ALG will follow H.245 connection created by H.225 CS if there is any. It will also create flows for media connections based on negotiation happened in H.245 protocol level. The ALG can also intercept H.225 CS call which happens without H.225 RAS. Note that this iApps only support public vlan that is in route-domain 0 (default). How to use this snippet: This H.323 ALG iApps supports 2 main use cases 1. NAT44 2. 464XLAT Note that vlan, route, IP address configuration are not included in the iApps. They may be configured prior to create the application. For vlans, some NAT mode may requires specific cmp-hash mode, for example, PBA and DNAT require cmp-hash as src-ip on private side and cmp-hash as dst-ip on public side. Configuration for NAT44 and 464XLAT use cases are separated. Configuration objects (including virtual servers, LSN pool, etc) will be created separately and are not shared. Both options can be enabled in the same application. * * * To create application for NAT44 use case (see image below), select "yes" in "Enabled H.323 ALG for NAT44" section. Then enter information for private and public side. For private side, add virtual server to intercept H.225 RAS and H.225 CS (enter vlan, route-domain, port). Enter "allowed source" subnet information. To support hairpin call, select "yes" to "Create wildcard virtual..." option if there is no existing wildcard virtual that matches hairpin traffic. For public side, select public vlan, enter LSN pool member addresses and configure translation mode. * * * To create application for 464XLAT use case (see image below), select "yes" in "Enabled H.323 ALG for 464XLAT" section. Follow the same instruction as NAT44 use case. However, use appropriate IPv6 address as needed. The 464XLAT use case also require NAT64 prefix as BIG-IP acts as a PLAT. * * * In addition to configuration sections for NAT44 and 464XLAT use case. There are sections for Advance, Logging and Debug options (see image below). For "Advance Options" section: * Enforce no H.245 Tunnelling : select yes if you want ALG to try to prevent H.245 tunnelling in H.225 CS * Enforce no FastStart : select yes if you want ALG to try to prevent FastStart to be used * Choose action for ALG to take when iRules receives message it could not decode For "Logging Options" section: * Set LSN log destination : choose either to write log to local syslog or none For "Debug Options" section, enable debug log on categories of interest. Note that "per" debug log may produce very detail log information. Debug log option may only be enabled at no load. This iApps is created on "Wed May 09 04:45:14 GMT 2018" Tested this on version: No Version Found
BIG-IP CGNAT - VLAN CMP Hash
Hello Devs! How is everybody doing? I'm trying to wrap my head around a requirement for the CGNAT module. Currently, it's mandatory that, for the CGNAT using PBA LSN pools, that the ingress VLAN uses the VLAN CMP hash as source address and the egress VLAN uses destination as the cmp hash. I understand what the CMP hash does but on an environment where the BIG-IP is the CGNAT device and routes to the internet, every time a new client connects, it will use ephemeral ports as the source and different destination IPs as the destination, so the default cmp hash would/should do the trick. But if I don't set the cmp hash correctly, I get some error on /var/lo/ltm. Feb 6 14:54:01 bigip1 err tmm[31839]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/lsn_pool_rd10) mode PBA on interface /Common/F5_BACKBONE Feb 6 14:54:53 bigip1 err tmm[31839]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/lsn_pool_rd10) mode PBA on interface /Common/F5_BACKBONE I just wanted to understand the why of this. Thanks, Rafael.
TMM memory leaking due to log publisher configuration
Hi dears I use F5 CGNAT module and I define a log publisher on F5 for remote logging. I have memory leaking problem: tmm memory increase during the time. F5 version: 14.1.2.3 picture1: https://ibb.co/YDN88Bz After analyzing "show sys memory" output we notice that memory leaking is because of Log profile: picture2: https://ibb.co/4m3snGt For troubleshooting I look at logs in tmm using "# cat /var/log/tmm" and notice that there are a lot of logs telling here is a problem with publisher: # cat /var/log/tmm <13> Jul 7 03:51:24 slot1/f5-one notice alg_hs_log_alg_event/1190: errdefs publisher log failure <13> Jul 7 03:51:24 slot1/f5-one notice alg_hs_log_alg_event/1190: errdefs publisher log failure <13> Jul 7 03:51:24 slot1/f5-one notice alg_hs_log_alg_event/1190: errdefs publisher log failure . . Now the question is: How can I analyze these logs and find solution for tmm memory leaking? Any one knows "logger" tool ? or Someone has encountered this problem before? We have this problem for a long time. And it has not been resolved by updating the version. picture3: https://ibb.co/R9dYLdM picture4: https://ibb.co/nfYJvd0 Sys::Provision ModuleCPU (%)Memory (MB)Host-Memory (MB)Disk (MB) --------------------------------------------------------- afm0000 am0000 apm0000 asm0000 avr118887687800 dos0000 fps0000 gtm0000 host10200300527856 ilx10121020 lc0000 ltm1000 pem0000 sslo0000 swg0000 tmos87424787000 urldb0000 vcmp0000 thanks.CGNAT and IP forwarding Simultaneously for exception flows
I have scenario according to the diagram using VIPRIOM 2400 platform as CGNAT solution. I'm using CGNAT for translating our clients(SRC: 100.64.0.0/10) for Internet access. In our regular scenario F5 box translate client address for both Internet access and our internal servers. Now we have a situation where we need our clients connected to an internal web-server(172.16.1.1) with their actual IP address(100.64.0.0/10)). for this purpose I created two 'IP forwarding' matching web-server IP address in each direction. the point is I've Created CGNAT virtual server for Internet access and LTM Virtual server for matching traffic to/from local web server. Clients Internet access which works without any problem. but It seems web-server virtual server doesn't match with any traffic. ltm virtual CGNAT-BRAS--ACCESS-01 { description CGNAT-BRAS--ACCESS-01 destination 0.0.0.0%101:any mask any profiles { CGNAT-L4 { } } source 100.64.0.0%101/10 source-address-translation { pool CGNAT-ACCESS-01 type lsn } translate-address disabled translate-port disabled vlans { VLAN-40 } vlans-enabled vs-index 26 } ltm profile fastl4 CGNAT-L4 { app-service none defaults-from fastL4 loose-close enabled loose-initialization enabled reassemble-fragments enabled reset-on-timeout disabled } ltm virtual local-web-forwarding-client-side { destination 172.16.1.1%101:any l2-forward mask 255.255.255.255 profiles { Forwarding_VS { } } source 100.64.0.0%101/10 translate-address enabled translate-port disabled vlans { VLAN-40 } vlans-enabled vs-index 46 } ltm virtual local-web-forwarding-network-side { destination 100.64.0.0%101:any ip-forward mask 255.192.0.0 profiles { Forwarding_VS { } } source 172.16.1.1%101/32 translate-address disabled translate-port disabled vlans { VLAN-41 } vlans-enabled vs-index 47 } ltm profile fastl4 Forwarding_VS { app-service none defaults-from fastL4 idle-timeout 300 loose-initialization enabled reset-on-timeout disabled }Problem between F5 CGNAT and Graylog Server
Dear F5 Community, I have F5 model Model: BIG-IP i7600 with version: Version: 14.1.0.3 Build 0.0.6 running as CGNAT. And I installed Graylog server version: 3.0 free edition to receive the LSN CGNAT logs. I followed document below to send the CGNAT logs from F5 CGNAT to the Graylog server as HSL, but Graylog can not receive the CGNAT logs from F5. https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-cgnat-implementations-14-0-0/using-cgnat-logging-and-subscriber-traceability.html Everyone used to have such experience? and how to solve the issue? Please kindly advise. Thank you.Does anyone did traffic logging?
Hi guys I`m searching method which can logging or inspecting traffic information. Target license are LTM and CGNAT. I have looking for Telemetry streaming but that seems providing sampling information. I need full traffic information not sampling data. also don`t need mirroring. I think using i-Rule with HSL can be a method but I`m wondering how much traffic can be logging. -> how much means about CPS 150K. -> and BIGIP`s disk can be able to hold the logs.BIG-IP CGNAT Module - General Questions
Hello Devs! We're deploying a high performance VE running only the CGNAT module. Our client asked some tricky questions that I could not find the answer on the documentation. Could you guys have a try at them? We are running v14.1.0. 1- On the LSN pool, running on PBA mode, when you configure the member prefix IPs as a /24 for example, how does the BIG-IP chooses which IP to use under the prefix? Is it random? Is there some rule? For example: ltm lsn-pool pool_CGNAT_GPON-4711 { egress-interfaces { VLAN889_TRANSITO-OUT-GPON } egress-interfaces-enabled members { 200.200.200.0%4712/24 } mode pba port-block-allocation { block-idle-timeout 900 block-size 512 client-block-limit 2 } route-advertisement enabled } In this example, which IP would the first client be translated to? 200.200.200.1? 200.200.200.5? What I saw so far is pretty much random, but I don't know if the subscriber internal IPs plays on some kind of hashing... Any thoughts? 2- What happens if a CGNAT subscriber stays connected and generating steady traffic regarding logs. When the subscriber hits the BIG-IP for the first time, BIG-IP allocates a block for it and logs a LSN-ALLOCATE event. If this same subscriber stays connected and with steady traffic flow (and my pool do not hame a lifetime configured), for many days, we would not see the LSN-RELEASE event log message. Our client wanted to know if there's some kind of update log message, that sends a message every X amount of time, to kind of reiterate that this specific subscriber still have that IP. This is necessary for auditing purposes. Very tricky question, I know. Thanks, Rafael
Why an Empty Glass is like a Key Mobile Service Provider Technology
"Speedy Gonzales (1955 short)" by Source (WP:NFCC#4) #MWC15 I was at a restaurant with some colleagues after the day of Mobile World Congress events today in Barcelona. Unfortunately, all the Spanish I learned was from the Warner Bros Speedy Gonzales cartoons. The people of Barcelona are great and most of them have a superb command of the English language. While we were ordering and eating our tapas which we selected off of the menu of options, one of our servers came by to refill our water glasses. I took this opportunity to ask the server for a separate empty glass so I could take some medicine I needed to mix with the water. The server looked at me with a puzzled look and I tried to explain again. ‘Please bring a cup. Empty,” I said as I used hand gestures to simulate an empty glass with the one he had just filled. Again, he gave me a look that signified he did not understand. “Cup. Empty,” I stated once again. He nodded this time and walked off. A minute later he was back with no cup, but our waiter was with him. The waiter said, “I am sorry. He does not understand you. What do you need?” “An empty cup, please.” I held up the medicine packet to show him why I needed it. “Ah. No problem. One moment.” And off they went as the waiter explained to the young gentleman what I needed. Finally, the server arrived with my empty glass. This brings up one of the issues that mobile service providers have that we sometimes gloss over or sweep under the table knowing it is being resolved in the future. The LTE networks need translation services like my waiter provided. Not for English or Spanish, but to switch the conversation from IPv6 to IPv4 and back again. The problem is that LTE networks are architected to use IPv6 addresses using 128 bits of IP address space while the Internet is still mostly IPv4, using 32 bits for each IP address. In addition, many service provider networks are not fully IPv6 either and they need this IP translation service to support the communications through their own infrastructure. Most LTE capable phones are designed to support IPv6. The Internet of Things, when it blows up to 50 billion devices by 2020 will have things with IPv6 addresses. This is necessary because there are not enough IPv4 addresses to support all of these devices. A carrier grade network address translation (CGNAT) solution is needed to provide IP address translation capabilities within the network. CGNAT may not have the buzz of IoT, nor does it have the public momentum of NFV, but it is still an essential technology to incorporate until the service provider networks and Internet fully support IPv6 addresses. CGNAT is deployed in most service provider networks to some extent, but it functionality and performance needs to be expanded to support this surge of new devices connecting to the LTE networks. A complimentary technology that I would be remiss to omit when talking about CGNAT is DNS64 services. DNS64 is the mapping of DNS addresses in IPv4 format to IP addresses in IPv6 format. This is critical because DNS is all about the mapping of names, or fully qualified domain names (FQDNs) to IP addresses which will be either IPv4 or IPv6. Service providers need to keep the CGNAT technologies in mind as they continue to build and expand their LTE networks, especially with the popularity of IoT. In my instance, I was lucky that I had my waiter to provide translation services between Spanish and English. The long term solution is for the server and/or me to learn each other’s respective languages. Only then will the waiter not be needed to always be around so we can have a conversation. In the service provider’s network the CGNAT solution (with DNS64) will always be needed until all of the devices and the Internet support a common a language, IPv6.
