CGNAT with DS-lite and LSN
Hey, so we have setup DS-Lite with CGNAT according to this in our lab: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/cgn-implementations-11-5-0/14.html Running version 17.1.1.1. Interface setup: ipv4.selfip 192.168.245.245/24(external if, ipv4.vlan) ipv6_INET-selfip 2001:2040:c000:1:f5f5:f5f5:f5f5:f5f5/64(client facing, ip6_INET.vlan) ds.selfip 192.0.0.1/24( ds-tunnel) CGNAT VS created according to above tech-doc. LSN- Pool created with: NAPT Persistance: Address Port Persistance Timeout: 30 (for testing) Inbound Connections: Automatic ICMP Echo: enabled Egress interfaces: ipv4.vlan Members list: 172.16.0.4/30 DS-tunnel created with: Profile dslite Local Address: same as ipv6_INET-selfip Remote Address Any The NAT-process works fine, the traffic comes in and gets NAT:ed to the pool (i.e. 172.16.0.4). The traffic also reaches the target, in this case 192.168.245.240. This endpoint in turn has a return-route for traffic back to the F5 for the 172.16.0.4/30 network. So it responds to the traffic, however here is where we hit the curb. The F5 simply resets the traffic once recieving the syn ack, "internal error sending packet to peer". So it's like it has forgotten the fact that it did the NAT. However when verifying "tmsh show sys connection all-properties" we can see both the IPv6 and IPv4 connections. Does anyone have any tips and tricks for this? Are we missing something? /Ted
CGNAT and IP forwarding Simultaneously for exception flows
I have scenario according to the diagram using VIPRIOM 2400 platform as CGNAT solution. I'm using CGNAT for translating our clients(SRC: 100.64.0.0/10) for Internet access. In our regular scenario F5 box translate client address for both Internet access and our internal servers. Now we have a situation where we need our clients connected to an internal web-server(172.16.1.1) with their actual IP address(100.64.0.0/10)). for this purpose I created two 'IP forwarding' matching web-server IP address in each direction. the point is I've Created CGNAT virtual server for Internet access and LTM Virtual server for matching traffic to/from local web server. Clients Internet access which works without any problem. but It seems web-server virtual server doesn't match with any traffic. ltm virtual CGNAT-BRAS--ACCESS-01 { description CGNAT-BRAS--ACCESS-01 destination 0.0.0.0%101:any mask any profiles { CGNAT-L4 { } } source 100.64.0.0%101/10 source-address-translation { pool CGNAT-ACCESS-01 type lsn } translate-address disabled translate-port disabled vlans { VLAN-40 } vlans-enabled vs-index 26 } ltm profile fastl4 CGNAT-L4 { app-service none defaults-from fastL4 loose-close enabled loose-initialization enabled reassemble-fragments enabled reset-on-timeout disabled } ltm virtual local-web-forwarding-client-side { destination 172.16.1.1%101:any l2-forward mask 255.255.255.255 profiles { Forwarding_VS { } } source 100.64.0.0%101/10 translate-address enabled translate-port disabled vlans { VLAN-40 } vlans-enabled vs-index 46 } ltm virtual local-web-forwarding-network-side { destination 100.64.0.0%101:any ip-forward mask 255.192.0.0 profiles { Forwarding_VS { } } source 172.16.1.1%101/32 translate-address disabled translate-port disabled vlans { VLAN-41 } vlans-enabled vs-index 47 } ltm profile fastl4 Forwarding_VS { app-service none defaults-from fastL4 idle-timeout 300 loose-initialization enabled reset-on-timeout disabled }Getting the outside-to-inside NAT mapping using iControl
Trying to map an outside IP to an inside IP. I can get mappings the other way around, that is inside-to-outside, using get_active_connection_v2 . The inside address is cs-client-addr and the outside is ss-client-addr . I can use cs-client-addr as a parameter in get_active_connection_v2 , but not ss-client-addr . Example: show /sys connection ss-client-addr 197.72.211.61 Sys::Connections 172.25.46.124%4:62262 107.21.224.38%4:443 197.72.211.61:1064 107.21.224.38:443 tcp 119 (slot/tmm: 1/0) none >>>import bigsuds >>>b.System.Connections.get_active_connection_v2(cs_client, cs_server, protocol, ss_server) [ { "clientside_bytes_in": { "high": 0, "low": 116 }, "clientside_bytes_out": { "high": 0, "low": 60 }, "clientside_packets_in": { "high": 0, "low": 2 }, "clientside_packets_out": { "high": 0, "low": 1 }, "connection_id": { "clientside_client": { "address": "172.25.46.124%4", "port": 62262 }, "clientside_server": { "address": "107.21.224.38%4", "port": 443 }, "protocol": "PROTOCOL_TCP", "serverside_server": { "address": "107.21.224.38", "port": 443 } }, "idle_time": 213, "idle_timeout": 213, "lasthop_info": "/Common/VLAN_4708 2c:11:62:75:b5:c1", "serverside_bytes_in": { "high": 0, "low": 60 }, "serverside_bytes_out": { "high": 0, "low": 116 }, "serverside_client": { "address": "197.72.211.61", "port": 1064 }, "serverside_packets_in": { "high": 0, "low": 1 }, "serverside_packets_out": { "high": 0, "low": 2 }, "traffic_group": "/Common/traffic-group-1", "virtual_path": { "address": "0.0.0.0", "port": 0 } } ] Thanks in advance!
BIG-IP CGNAT - VLAN CMP Hash
Hello Devs! How is everybody doing? I'm trying to wrap my head around a requirement for the CGNAT module. Currently, it's mandatory that, for the CGNAT using PBA LSN pools, that the ingress VLAN uses the VLAN CMP hash as source address and the egress VLAN uses destination as the cmp hash. I understand what the CMP hash does but on an environment where the BIG-IP is the CGNAT device and routes to the internet, every time a new client connects, it will use ephemeral ports as the source and different destination IPs as the destination, so the default cmp hash would/should do the trick. But if I don't set the cmp hash correctly, I get some error on /var/lo/ltm. Feb 6 14:54:01 bigip1 err tmm[31839]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/lsn_pool_rd10) mode PBA on interface /Common/F5_BACKBONE Feb 6 14:54:53 bigip1 err tmm[31839]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/lsn_pool_rd10) mode PBA on interface /Common/F5_BACKBONE I just wanted to understand the why of this. Thanks, Rafael.BIG-IP CGNAT Module - General Questions
Hello Devs! We're deploying a high performance VE running only the CGNAT module. Our client asked some tricky questions that I could not find the answer on the documentation. Could you guys have a try at them? We are running v14.1.0. 1- On the LSN pool, running on PBA mode, when you configure the member prefix IPs as a /24 for example, how does the BIG-IP chooses which IP to use under the prefix? Is it random? Is there some rule? For example: ltm lsn-pool pool_CGNAT_GPON-4711 { egress-interfaces { VLAN889_TRANSITO-OUT-GPON } egress-interfaces-enabled members { 200.200.200.0%4712/24 } mode pba port-block-allocation { block-idle-timeout 900 block-size 512 client-block-limit 2 } route-advertisement enabled } In this example, which IP would the first client be translated to? 200.200.200.1? 200.200.200.5? What I saw so far is pretty much random, but I don't know if the subscriber internal IPs plays on some kind of hashing... Any thoughts? 2- What happens if a CGNAT subscriber stays connected and generating steady traffic regarding logs. When the subscriber hits the BIG-IP for the first time, BIG-IP allocates a block for it and logs a LSN-ALLOCATE event. If this same subscriber stays connected and with steady traffic flow (and my pool do not hame a lifetime configured), for many days, we would not see the LSN-RELEASE event log message. Our client wanted to know if there's some kind of update log message, that sends a message every X amount of time, to kind of reiterate that this specific subscriber still have that IP. This is necessary for auditing purposes. Very tricky question, I know. Thanks, Rafael
TMM memory leaking due to log publisher configuration
Hi dears I use F5 CGNAT module and I define a log publisher on F5 for remote logging. I have memory leaking problem: tmm memory increase during the time. F5 version: 14.1.2.3 picture1: https://ibb.co/YDN88Bz After analyzing "show sys memory" output we notice that memory leaking is because of Log profile: picture2: https://ibb.co/4m3snGt For troubleshooting I look at logs in tmm using "# cat /var/log/tmm" and notice that there are a lot of logs telling here is a problem with publisher: # cat /var/log/tmm <13> Jul 7 03:51:24 slot1/f5-one notice alg_hs_log_alg_event/1190: errdefs publisher log failure <13> Jul 7 03:51:24 slot1/f5-one notice alg_hs_log_alg_event/1190: errdefs publisher log failure <13> Jul 7 03:51:24 slot1/f5-one notice alg_hs_log_alg_event/1190: errdefs publisher log failure . . Now the question is: How can I analyze these logs and find solution for tmm memory leaking? Any one knows "logger" tool ? or Someone has encountered this problem before? We have this problem for a long time. And it has not been resolved by updating the version. picture3: https://ibb.co/R9dYLdM picture4: https://ibb.co/nfYJvd0 Sys::Provision ModuleCPU (%)Memory (MB)Host-Memory (MB)Disk (MB) --------------------------------------------------------- afm0000 am0000 apm0000 asm0000 avr118887687800 dos0000 fps0000 gtm0000 host10200300527856 ilx10121020 lc0000 ltm1000 pem0000 sslo0000 swg0000 tmos87424787000 urldb0000 vcmp0000 thanks.Problem between F5 CGNAT and Graylog Server
Dear F5 Community, I have F5 model Model: BIG-IP i7600 with version: Version: 14.1.0.3 Build 0.0.6 running as CGNAT. And I installed Graylog server version: 3.0 free edition to receive the LSN CGNAT logs. I followed document below to send the CGNAT logs from F5 CGNAT to the Graylog server as HSL, but Graylog can not receive the CGNAT logs from F5. https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-cgnat-implementations-14-0-0/using-cgnat-logging-and-subscriber-traceability.html Everyone used to have such experience? and how to solve the issue? Please kindly advise. Thank you.
Does anyone did traffic logging?
Hi guys I`m searching method which can logging or inspecting traffic information. Target license are LTM and CGNAT. I have looking for Telemetry streaming but that seems providing sampling information. I need full traffic information not sampling data. also don`t need mirroring. I think using i-Rule with HSL can be a method but I`m wondering how much traffic can be logging. -> how much means about CPS 150K. -> and BIGIP`s disk can be able to hold the logs.
