Product Documentation

Logging and Monitoring Large Scale NAT64

Aug 30, 2016

You can log large scale NAT64 information to diagnose and troubleshoot problems, and to meet legal requirements. You can monitor the performance of the large scale NAT64 deployment by using statistical counters and displaying the related current sessions.

Logging Large Scale NAT64

Logging large scale NAT64 information is required for ISPs to meet legal requirements and identify the source of traffic at any given time.

A log message for a large scale NAT64 mapping entry consists of the following information:

  • NetScaler owned IP address (NSIP address or SNIP address) from which the log message is sourced.
  • Time stamp.
  • Entry type (MAPPING).
  • Whether the mapping entry was created or deleted.
  • Subscriber's IP address, port, and traffic domain ID.
  • NAT IP address and port.
  • Protocol name.
  • Destination IP address, port, and traffic domain ID might be present, depending on the following conditions:
    • Destination IP address and port are not logged for endpoint-independent mapping.
    • Only the destination IP address is logged for address-dependent mapping. The port is not logged.
    • Destination IP address and port are logged for address-port-dependent mapping.

A log message for a large scale NAT64 session consists of the following information:

  • NetScaler owned IP address (NSIP address or SNIP address) from which the log message is sourced
  • Time stamp
  •  Entry type (SESSION)
  • Whether the session is created or removed
  • Subscriber's IP address, port, and traffic domain ID
  • NAT IP address and port
  • Protocol name
  • Destination IP address, port, and traffic domain ID

The following table displays sample large scale NAT64 log entries of each type stored on the configured log servers. The log entries show that a subscriber whose IPv6 address is 2001:db8:5001::9 was connected to destination IP:port 23.0.0.1:80 through NAT IP:port 203.0.113.63:45195 on April 7, 2016, from 14:07:57 GMT to 14:10:59 GMT.

Log Entry Type Sample Log Entry

Session Creation

04/07/2016:14:07:57 GMT  Informational 0-PPE-10 : default LSN LSN_SESSION 5532 0 :  SESSION CREATED Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP

Mapping Creation

04/07/2016:14:07:57 GMT  Informational 0-PPE-10 : default LSN LSN_ADDR_MAPPING 5533 0 :  ADM CREATED Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:TD 23.0.0.1:80, Protocol: TCP

Session Deletion

04/07/2016:14:10:59 GMT  0-PPE-10 : default LSN LSN_SESSION 25012 0 :  SESSION DELETED Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP

Mapping Deletion

04/07/2016:14:10:59 GMT 0-PPE-10 : default LSN LSN_ADDR_MAPPING 25013 0 : ADM DELETED Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP

Configuration Steps

You can configure logging of large scale NAT64 information for a large scale NAT64 configuration by setting the LSN groups’s logging and session logging parameters. These are group level parameters and are disabled by default. The NetScaler appliance logs large scale NAT64 sessions for an LSN group only when both logging and session logging parameters are enabled.

The following table displays the logging behavior for an LSN group for various settings of logging and session logging parameters.

Logging Session Logging Logging Behavior

Enabled

Enabled

Logs LSN mapping entries as well as LSN sessions

Enabled

Disabled

Logs LSN mapping entries but not LSN sessions

Disabled

Enabled

Logs neither mapping entries nor LSN sessions

To log large scale NAT64 information by using the NetScaler command line

To set the logging and session logging parameters while adding an LSN group, at the command prompt, type:

  • add lsn group <groupname> -clientname <string> [-logging (ENABLED|DISABLED)] [-sessionLogging (ENABLED|DISABLED)]
  • show lsn group

To set the logging and session logging parameters for an existing LSN group, at the command prompt, type:

  • set lsn group <groupname> [-logging (ENABLED|DISABLED)] [-sessionLogging (ENABLED|DISABLED)]
  • show lsn group

Sample Configuration

In this example of large scale NAT64 configuration, logging and session logging paramters are enabled for LSN group LSN-NAT64-GROUP-1.

The NetScaler appliance logs large scale NAT64 session and mapping information for connections from subscribers (in the network 2001:DB8:5001::/96).

Sample Configuration 복사

> add lsn client LSN-NAT64-CLIENT-1 Done

Done

> bind lsn client LSN-NAT64-CLIENT-1 -network6 2001:DB8:5001::/96

Done

> add lsn pool LSN-NAT64-POOL-1

Done

> bind lsn pool LSN-NAT64-POOL-1 203.0.113.61 - 203.0.113.70

Done

> add lsn ip6profile LSN-NAT64-PROFILE-1 -type NAT64 -natprefix 2001:DB8:300::/96

Done

> add lsn group LSN-NAT64-GROUP-1 -clientname LSN-NAT64-CLIENT-1  -ip6profile LSN-NAT64-PROFILE-1  -logging ENABLED -sessionLogging ENABLED

Done

> bind lsn group LSN-NAT64-GROUP-1 -poolname LSN-NAT64-POOL-1

Done

Logging MSISDN Information for Large Scale NAT64

A Mobile Station Integrated Subscriber Directory Number (MSISDN) is a telephone number uniquely identifying a subscriber across multiple mobile networks. The MSISDN is associated with a country code and a national destination code identifying the subscriber's operator.

You can configure a NetScaler appliance to include MSISDNs in large scale NAT64 LSN log entries for subscribers in mobile networks. The presence of MSISDNs in the LSN logs facilitates faster and accurate back tracing of a mobile subscriber who has violated a policy or law, or whose information is required by lawful interception agencies.

The following sample LSN log entries include MSISDN information for a connection from a mobile subscriber in an LSN configuration. The log entries show that a mobile subscriber whose MSISDN is E164:5556543210 and IPv6 address is 2001:db8:5001::9 was connected to destination IP:port 23.0.0.1:80 through the NAT IP:port 203.0.113.63:45195 on April 7, 2016, from 14:07:57 GMT to  14:10:59 GMT.

Log Entry Type Sample Log Entry

Session Creation

04/07/2016:14:07:57 GMT  Informational 0-PPE-10 : default LSN LSN_SESSION 5532 0 :  SESSION CREATED E164:5556543210 Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP

Mapping Creation

04/07/2016:14:07:57 GMT  Informational 0-PPE-10 : default LSN LSN_ADDR_MAPPING 5533 0 :  ADM CREATED E164:5556543210 Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:TD 23.0.0.1:80, Protocol: TCP

Session Deletion

04/07/2016:14:10:59 GMT  0-PPE-10 : default LSN LSN_SESSION 25012 0 :  SESSION DELETED E164:5556543210 Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP

Mapping Deletion

04/07/2016:14:10:59 GMT 0-PPE-10 : default LSN LSN_ADDR_MAPPING 25013 0 : ADM DELETED E164:5556543210 Client IP-Port:TD 2001:db8:5001::9-34937:0, NatIP:NatPort 203.0.113.63:45195, Destination IP:Port:TD 23.0.0.1:0:80, Protocol: TCP

Configuration Steps

Perform the following tasks for including MSISDN information in LSN logs:

  • Create an LSN log profile. An LSN log profile includes the log subscriber ID parameter, which specifies whether to or not to include the MSISDN information in the LSN logs of an LSN configuration.
  • Bind the LSN log profile to an LSN group of an LSN configuration.Bind the created LSN log profile to an LSN group of an LSN configuration by setting the log profile name parameter to the created LSN log profile name. MSISDN information is included in all LSN logs related to mobile subscribers of this LSN group.

To create an LSN log profile by using the NetScaler command line
At the command prompt, type:

  • add lsn logprofile <logprofilename> -logSubscriberID ( ENABLED | DISABLED )
  • show lsn logprofile

To bind an LSN log profile to an LSN group of an NAT64 LSN configuration by using the NetScaler command line
At the command prompt, type:

  • bind lsn group <groupname>  -logProfileName <lsnlogprofilename>
  • show lsn group

Sample Configuration

In this example of NAT64 LSN configuration, the LSN log profile LOG-PROFILE-MSISDN-1 has the log subscriber ID parameter enabled. LOG-PROFILE-MSISDN-1 is bound to LSN group LSN-NAT64-GROUP-1. MSISDN information is included in the LSN session and LSN mapping logs for connections from mobile subscribers (in network 2001:DB8:5001::/96).

Sample Configuration 복사

>  add lsn logprofile  LOG-PROFILE-MSISDN-1  -logSubscriberID ENABLED
Done

> add lsn client LSN-NAT64-CLIENT-1

Done

> bind lsn client LSN-NAT64-CLIENT-1 -network6 2001:DB8:5001::/96

Done

> add lsn pool LSN-NAT64-POOL-1

Done

> bind lsn pool LSN-NAT64-POOL-1 203.0.113.61 - 203.0.113.70

Done

> add lsn ip6profile LSN-NAT64-PROFILE-1 -type NAT64 -natprefix 2001:DB8:300::/96

Done

> add lsn group LSN-NAT64-GROUP-1 -clientname LSN-NAT64-CLIENT-1  -ip6profile LSN-NAT64-PROFILE-1

Done

> bind lsn group LSN-NAT64-GROUP-1 -poolname LSN-NAT64-POOL-1

Done

> bind lsn group LSN-NAT64-GROUP-1 -logprofilename  LOG-PROFILE-MSISDN-1    

Done

Compact Logging for Large Scale NAT

Logging LSN information is one of the important functions needed by ISPs to meet legal requirements and be able to identify the source of traffic at any given time. This eventually results in a huge volume of log data, requiring the ISPs to make large investments to maintain the logging infrastructure.

Compact logging is a technique for reducing the log size by using a notational change involving short codes for event and protocol names. For example, C for client, SC for session created, and T for TCP. Compact logging results in an average of 40 percent reduction in log size.

Configuration Steps

Perform the following tasks for logging LSN information in compact format:

  1. Create an LSN log profile. An LSN log profile includes the Log Compact parameter, which specifies whether to or not to log information in compact format for an LSN configuration.
  2. Bind the LSN log profile to an LSN group of an LSN configuration. Bind the created LSN log profile to an LSN group of an LSN configuration by setting the Log Profile Name parameter to the created LSN log profile name. All sessions and mappings for this LSN group are logged in compact format.

To create an LSN log profile by using the NetScaler command line

At the command prompt, type:

  • add lsn logprofile <logprofilename> -logCompact (ENABLED|DISABLED)
  • show lsn logprofile

To bind an LSN log profile to an LSN group of an LSN configuration by using the NetScaler command line

At the command prompt, type:

  • bind lsn group <groupname> -logProfileName <lsnlogprofilename>
  • show lsn group
Sample Configuration for NAT64 복사

>  add lsn logprofile  LOG-PROFILE-COMPACT-1 -logCompact ENABLED
Done

> add lsn client LSN-NAT64-CLIENT-1

Done

> bind lsn client LSN-NAT64-CLIENT-1 -network6 2001:DB8:5001::/96

Done

> add lsn pool LSN-NAT64-POOL-1

Done

> bind lsn pool LSN-NAT64-POOL-1 203.0.113.61 - 203.0.113.70

Done

> add lsn ip6profile LSN-NAT64-PROFILE-1 -type NAT64 -natprefix 2001:DB8:300::/96

Done

> add lsn group LSN-NAT64-PROFILE-1 -clientname LSN-NAT64-CLIENT-1  -ip6profile LSN-NAT64-PROFILE-1

Done

> bind lsn group LSN-NAT64-GROUP-1 -poolname LSN-NAT64-POOL-1

Done

> bind lsn group LSN-NAT64-GROUP-1 –logProfileName LOG-PROFILE-COMPACT-1

Done

Logging HTTP Header Information

The NetScaler appliance can log request header information of an HTTP connection that is using the NetScaler large scale NAT64 functionality. The following header information of an HTTP request packet can be logged:

  • URL that the HTTP request is destined to
  • HTTP Method specified in the HTTP request
  • 
HTTP version used in the HTTP request 

  • IPv6 address of the subscriber that sent the HTTP request

The HTTP header logs can be used by ISPs to see the trends related to the HTTP protocol among a set of subscribers. For example, an ISP can use this feature to find out the most popular website among a set of subscribers.

Configuration Steps

Perform the following tasks for configuring the NetScaler appliance to log HTTP header information:

  • Create an HTTP header log profile. An HTTP header log profile is a collection of HTTP header attributes (for example, URL and HTTP method) that can be enabled or disabled for logging.
  • Bind the HTTP header to an LSN group of a large scale NAT64 configuration. Bind the HTTP header log profile to an LSN group of an LSN configuration by setting the HTTP header log profile name parameter to the name of the created HTTP header log profile. The NetScaler appliance then logs HTTP header information of any HTTP requests related to the LSN group. An HTTP header log profile can be bound to multiple LSN groups, but an LSN group can have only one HTTP header log profile.

To create an HTTP header log profile by using the the command line interface

At the command prompt, type:

  • add lsn httphdrlogprofile <httphdrlogprofilename> [-logURL ( ENABLED | DISABLED )] [-logMethod ( ENABLED | DISABLED )] [-logVersion ( ENABLED | DISABLED )] [-logHost ( ENABLED | DISABLED )]
  • show lsn httphdrlogprofile 


To bind an HTTP header log profile to an LSN group by using the the command line interface
At the command prompt, type:

  • bind lsn group <groupname> -httphdrlogprofilename <string>
  • show lsn group <groupname>

 

Sample Configuration

Sample Configuration 복사

>  add lsn httphdrlogprofile HTTP-HEADER-LOG-1

Done

> add lsn client LSN-NAT64-CLIENT-1 Done

Done

> bind lsn client LSN-NAT64-CLIENT-1 -network6 2001:DB8:5001::/96

Done

> add lsn pool LSN-NAT64-POOL-1

Done

> bind lsn pool LSN-NAT64-POOL-1 203.0.113.61 - 203.0.113.70

Done

> add lsn ip6profile LSN-NAT64-PROFILE-1 -type NAT64 -natprefix 2001:DB8:300::/96

Done

> add lsn group LSN-NAT64-GROUP-1 -clientname LSN-NAT64-CLIENT-1  -ip6profile LSN-NAT64-PROFILE-1 

Done

> bind lsn group LSN-NAT64-GROUP-1 -poolname LSN-NAT64-POOL-1

Done

> bind lsn group LSN-NAT64-GROUP-1 -httphdrlogprofilename HTTP-HEADER-LOG-1

Done

Displaying Current Large Scale NAT64 Sessions

You can display the current large scale NAT64 sessions in order to detect any unwanted or inefficient sessions on the NetScaler appliance. You can display all or some large scale NAT64 sessions on the basis of selection parameters.

메모

When more than a million large scale NAT64 sessions exist on the NetScaler appliance, Citrix recommends using the selection parameters to display selected large scale NAT64 sessions instead of displaying all of them.

To display all large scale NAT64 sessions by using the command line interface

At the command prompt, type:

  • show lsn session –nattype NAT64

To display selective large scale NAT64 sessions by using the command line interface

At the command prompt, type:

  • show lsn session –nattype NAT64 [-network6 <ipv6_addr|*>] [-clientname <string>] [-natIP <ip_addr> [-natPort <port>]]

Displaying Large Scale NAT64 Statistics

You can display statistics related to large scale NAT64 module, and evaluate its performance or troubleshoot problems. You can display a summary of statistics of all large scale NAT64 configurations or of a particular large scale NAT64 configuration. The statistical counters reflect events since the NetScaler appliance was last restarted. All these counters are reset to 0 when the NetScaler appliance is restarted.

To display total statistics of large scale NAT64 by using the command line interface

At the command prompt, type:

  • stat lsn nat64

To display statistics for a specified large scale NAT64 configuration by using the command line interface

At the command prompt, type:

  • stat lsn group <groupname>

Clearing Large Scale NAT64 Sessions

You can remove any unwanted or inefficient large scale NAT64 sessions from the NetScaler appliance. The appliance immediately releases resources (such as NAT IP address, port, and memory) allocated for these sessions, making the resources available for new sessions. The appliance also drops all the subsequent packets related to these removed sessions. You can remove all or selected large scale NAT64 sessions from the NetScaler appliance.

To clear all large scale NAT64 sessions by using the command line interface
At the command prompt, type:

  • flush lsn session –nattype NAT64
  • show lsn session –nattype NAT64

To clear selective large scale NAT64 sessions by using the command line interface
At the command prompt, type:

  • flush lsn session –nattype NAT64 [-network6 <ipv6_addr|*>] [-clientname <string>] [-natIP <ip_addr> [-natPort <port>]]
  • show lsn session –nattype NAT64 [-network6 <ipv6_addr|*>] [-clientname <string>] [-natIP <ip_addr> [-natPort <port>]]
Sample Configuration 복사

Clear all large scale NAT64 sessions existing on a NetScaler appliance

> flush lsn session  –nattype NAT64

Done  

Clear all large scale NAT64 sessions related to client entity LSN-NAT64-CLIENT-1   

> flush lsn session –nattype NAT64 -clientname LSN-NAT64-CLIENT-1 

 Done  

Clear all large scale NAT64 sessions related to a subscriber network (2001:DB8:5001::/96) of LSN client entity LSN-NAT64-CLIENT-2

> flush lsn session –nattype NAT64 –network6 2001:DB8:5001::/96 -clientname LSN-NAT64-CLIENT-2

 Done