Applies To:

Show Versions Show Versions

Manual Chapter: Using CGNAT Logging and Subscriber Traceability
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Configuring local logging for CGNAT

You can configure the BIG-IP® system to send log messages about carrier grade network address translation (CGNAT) processes to the local Syslog database on the BIG-IP system.

Note: Enabling logging impacts BIG-IP system performance.

When configuring local logging of CGNAT processes, it is helpful to understand the objects you need to create and why:

Object Reason Applies to
Destination (formatted/local) Create a formatted log destination to format the logs in human-readable name/value pairs, and forward the logs to the local-syslog database. Creating a formatted local log destination for CGNAT.
Publisher (local-syslog) Create a log publisher to send logs to the previously created destination that formats the logs in name/value pairs, and forwards the logs to the local Syslog database on the BIG-IP system. Creating a publisher to send log messages to the local Syslog database.
LSN pool Associate a large scale NAT (LSN) pool with a log publisher in order to log messages about the traffic that uses the pool. Configuring an LSN pool with a local Syslog log publisher.

Task summary

Creating a formatted local log destination for CGNAT

Create a formatted logging destination to specify that log messages about CGNAT processes are sent to the local Syslog database in a format that displays name/value pairs in a human-readable format.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select Splunk.
    The Splunk format is a predefined format of key value pairs.
  5. From the Forward To list, select local-syslog.
  6. Click Finished.

Creating a publisher to send log messages to the local Syslog database

Create a publisher to specify that the BIG-IP® system sends formatted log messages to the local Syslog database, on the BIG-IP system.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. For the Destinations setting, select the previously created destination from the Available list (which formats the logs in the Splunk format and forwards the logs to the local Syslog database) and move the destination to the Selected list.
  5. Click Finished.

Configuring an LSN pool with a local Syslog log publisher

Before associating a large scale NAT (LSN) pool with a log publisher, ensure that at least one log publisher exists that sends formatted log messages to the local Syslog database on the BIG-IP® system.
Associate an LSN pool with the log publisher that the BIG-IP system uses to send formatted log messages to the local Syslog database.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click the name of an LSN pool.
  3. From the Log Publisher list, select the log publisher that sends formatted log messages to the local Syslog database on the BIG-IP system.
  4. Click Finished.

Overview: Configuring remote high-speed logging for CGNAT

You can configure the BIG-IP® system to log information about carrier-grade network address translation (CGNAT) processes and send the log messages to remote high-speed log servers.

This illustration shows the association of the configuration objects for remote high-speed logging of CGNAT processes.

Associations between CGNAT remote high-speed logging configuration objects

Association of remote high-speed logging configuration objects

Task summary

Perform these tasks to configure remote high-speed logging of CGNAT processes on the BIG-IP system.
Note: Enabling remote high-speed logging impacts BIG-IP system performance.

About the configuration objects of high-speed logging

When configuring remote high-speed logging (HSL) of CGNAT processes, it is helpful to understand the objects you need to create and why, as described here:

Object Reason Applies to
Pool of remote log servers Create a pool of remote log servers to which the BIG-IP® system can send log messages. Creating a pool of remote logging servers.
Destination (formatted) Create log destination to format the logs in the required format and forward the logs to a remote high-speed log destination. Creating a formatted remote high-speed log destination.
Publisher Create a log publisher to send logs to a set of specified log destinations. Creating a publisher.
Logging Profile (optional) Create a logging profile to configure logging options for various large scale NAT (LSN) events. The options apply to all HSL destinations. Creating a LSN logging profile.
LSN pool Associate an LSN pool with a logging profile and log publisher in order to log messages about the traffic that uses the pool. Configuring an LSN pool.

Creating a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP® system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
  1. On the Main tab, click the applicable path.
    • DNS > Delivery > Load Balancing > Pools
    • Local Traffic > Pools
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add the IP address for each remote logging server that you want to include in the pool:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. Type a service number in the Service Port field, or select a service name from the list.
      Note: Typical remote logging servers require port 514.
    3. Click Add.
  5. Click Finished.

Creating a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP® system.

Create a log destination of the Remote High-Speed Log type to specify that log messages are sent to a pool of remote log servers.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select Remote High-Speed Log.
    Important: If you use log servers such as Remote Syslog, Splunk, or IPFIX, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the Remote High-Speed Log type. This allows the BIG-IP system to send data to the servers in the required format.
    The BIG-IP system is configured to send an unformatted string of text to the log servers.
  5. From the Pool Name list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
  6. From the Protocol list, select the protocol used by the high-speed logging pool members.
  7. Click Finished.

Creating a formatted remote high-speed log destination

Ensure that at least one remote high-speed log destination exists on the BIG-IP® system.

Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or IPFIX servers.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select a formatted logging destination, such as Remote Syslog, Splunk, or IPFIX.
    The Splunk format is a predefined format of key value pairs.
    The BIG-IP system is configured to send a formatted string of text to the log servers.
  5. If you selected Remote Syslog, from the Syslog Format list, select a format for the logs, and then from the High-Speed Log Destination list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.
    Important: For logs coming from Access Policy Manager® (APM®), only the BSD Syslog format is supported.
  6. If you selected Splunk or IPFIX, from the Forward To list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
  7. Click Finished.

Creating a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP® system.
Create a publisher to specify where the BIG-IP system sends log messages for specific resources.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. For the Destinations setting, select a destination from the Available list, and click << to move the destination to the Selected list.
    Note: If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db variable to false.
  5. Click Finished.

Creating an LSN logging profile

You can create an LSN logging profile to allow you to configure logging options for various LSN events that apply to high-speed logging destinations.
Note: For configuring remote high-speed logging of CGNAT processes on the BIG-IP® system, these steps are optional.
  1. On the Main tab, click Carrier Grade NAT > Logging Profiles > LSN .
    The LSN logging profiles screen opens.
  2. Click Create.
    The New LSN Logging Profile screen opens.
  3. In the Name field, type a unique name for the logging profile.
  4. From the Parent Profile list, select a profile from which the new profile inherits properties.
  5. For the Log Settings area, select the Custom check box.
  6. For the Log Settings area, select Enabled for the following settings, as necessary.
    Setting Description
    Start Outbound Session Generates event log entries at the start of a translation event for an LSN client.
    End Outbound Session Generates event log entries at the end of a translation event for an LSN client.
    Start Inbound Session Generates event log entries at the start of an incoming connection event for a translated endpoint.
    End Inbound Session Generates event log entries at the end of an incoming connection event for a translated endpoint.
    Quota Exceeded Generates event log entries when an LSN client exceeds allocated resources.
    Errors Generates event log entries when LSN translation errors occur.
  7. Click Finished.

Configuring an LSN pool

You can associate an LSN pool with a log publisher and logging profile that the BIG-IP® system uses to send log messages to a specified destination.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools > LSN Pool List .
    The LSN Pool List screen opens.
  2. Select an LSN pool from the list.
    The configuration screen for the pool opens.
  3. From the Log Publisher list, select the log publisher the BIG-IP system uses to send log messages to a specified destination.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db variable to false.
  4. Optional: From the Logging Profile list, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.
  5. Click Finished.
You now have an LSN pool for which the BIG-IP system logs messages using the specified logging profile.

Overview: Configuring IPFIX logging for CGNAT

You can configure the BIG-IP® system to log information about carrier grade network address translation (CGNAT) processes and send the log messages to remote IPFIX collectors.

IPFIX is a set of IETF standards described in RFCs 5101 and 5102. The BIG-IP system supports logging of CGNAT translation events over the IPFIX protocol. IPFIX logs are raw, binary-encoded strings with their fields and field lengths defined by IPFIX templates. IPFIX collectors are external devices that can receive IPFIX templates, and use them to interpret IPFIX logs.

Task summary

Perform these tasks to configure IPFIX logging of CGNAT processes on the BIG-IP system.
Note: Enabling IPFIX logging impacts BIG-IP system performance.

About the configuration objects of IPFIX logging

The configuration process involves creating and connecting the following configuration objects.

Object Reason Applies to
Pool of IPFIX collectors Create a pool of remote log servers to which the BIG-IP® system can send log messages. Assembling a pool of IPFIX collectors.
Destination Create a log destination to format the logs in IPFIX templates, and forward the logs to the IPFIX collectors. Creating an IPFIX log destination.
Publisher Create a log publisher to send logs to a set of specified log destinations. Creating a publisher.
Logging Profile (optional) Create a logging profile to configure logging options for various large scale NAT (LSN) events. The options apply to all HSL destinations. Creating an LSN logging profile.
LSN pool Associate an LSN pool with a logging profile and log publisher in order to log messages about the traffic that uses the pool. Configuring an LSN pool.

Assembling a pool of IPFIX collectors

Before creating a pool of IPFIX collectors, gather the IP addresses of the collectors that you want to include in the pool. Ensure that the remote IPFIX collectors are configured to listen to and receive log messages from the BIG-IP® system.
These are the steps for creating a pool of IPFIX collectors. The BIG-IP system can send IPFIX log messages to this pool.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add the IP address for each IPFIX collector that you want to include in the pool:
    1. Type the collector's IP address in the Address field, or select a node address from the Node List.
    2. Type a port number in the Service Port field.
      By default, IPFIX collectors listen on UDP or TCP port 4739 and Netflow V9 devices listen on port 2055, though the port is configurable at each collector.
    3. Click Add.
  5. Click Finished.

Creating an IPFIX log destination

A log destination of the IPFIX type specifies that log messages are sent to a pool of IPFIX collectors. Use these steps to create a log destination for IPFIX collectors.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select IPFIX.
  5. From the Protocol list, select IPFIX or Netflow V9, depending on the type of collectors you have in the pool.
  6. From the Pool Name list, select an LTM® pool of IPFIX collectors.
  7. From the Transport Profile list, select TCP, UDP, or any customized profile derived from TCP or UDP.
  8. The Template Retransmit Interval is the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if the Transport Profile is a UDP profile.
    An IPFIX template defines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.

    The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.

  9. The Template Delete Delay is the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.
  10. The Server SSL Profile applies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if the Transport Profile is a TCP profile. Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS configuration.
    SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.
  11. Click Finished.

Creating a publisher

A publisher specifies where the BIG-IP® system sends log messages for IPFIX logs.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. Use the Log Destinations area to select an existing IPFIX destination (perhaps along with other destinations for your logs): click any destination name in the Available list, and click << to move it to the Selected list.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging will occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db variable to false.
  5. Click Finished.

Creating an LSN logging profile

You can create an LSN logging profile to allow you to configure logging options for various LSN events that apply to IPFIX logging destinations.
Note: For configuring IPFIX logging of CGNAT processes on the BIG-IP® system, these steps are optional.
  1. On the Main tab, click Carrier Grade NAT > Logging Profiles > LSN .
    The LSN profile list screen opens.
  2. Click Create.
    The New LSN Logging Profile screen opens.
  3. In the Name field, type a unique name for the logging profile.
  4. From the Parent Profile list, select a profile from which the new profile inherits properties.
  5. For the Log Settings area, select the Custom check box.
  6. For the Log Settings area, select Enabled for the following settings, as necessary.
    Setting Description
    Start Outbound Session Generates event log entries at the start of a translation event for an LSN client.
    End Outbound Session Generates event log entries at the end of a translation event for an LSN client.
    Start Inbound Session Generates event log entries at the start of an incoming connection event for a translated endpoint.
    End Inbound Session Generates event log entries at the end of an incoming connection event for a translated endpoint.
    Quota Exceeded Generates event log entries when an LSN client exceeds allocated resources.
    Errors Generates event log entries when LSN translation errors occur.
  7. Click Finished.

Configuring an LSN pool

You can associate an LSN pool with a log publisher and logging profile that the BIG-IP® system uses to send log messages to a specified destination.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools > LSN Pool List .
    The LSN Pool List screen opens.
  2. Select an LSN pool from the list.
    The configuration screen for the pool opens.
  3. From the Log Publisher list, select the log publisher the BIG-IP system uses to send log messages to a specified destination.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db variable to false.
  4. Optional: From the Logging Profile list, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.
  5. Click Finished.
You now have an LSN pool for which the BIG-IP system logs messages using the specified logging profile.

Deploying Stateless Network Address Translation

Overview: 6rd configuration on BIG-IP systems

The 6rd (rapid deployment) feature is a solution to the IPv6 address transition. It provides a stateless protocol mechanism for tunneling IPv6 traffic from the IPv6 Internet over a service provider's (SP's) IPv4 network to the customer's IPv6 networks. As specified in RFC5969, 6rd uses an SP's own IPv6 address prefix rather than the well-known IPV6 in IPv4 prefix (2002::/16), which means that the operational domain of 6rd is limited to the SP network, and is under the SP's control.

Fully compliant with RFC5969, the BIG-IP® system supports the border relay (BR) functionality by automatically mapping the tunnel's IPv4 address at the customer premises to IPv6 address spaces using the 6rd domain configuration information. Using a BIG-IP system, an SP can deploy a single 6rd domain or multiple 6rd domains. When supporting multiple 6rd domains, a separate tunnel is required to accommodate each 6rd domain, which is specified in the associated 6rd tunnel profile.

When you deploy 6rd using a BIG-IP system as the BR device, you need to create 6rd tunnels using wildcard remote addresses. This implementation documents the configuration of a BIG-IP device as a BR device.

Example of a 6rd configuration

Example of a 6rd configuration

This table shows examples of 6rd parameter values, based on the illustration. You set these values in the v6rd profile you create.

Setting Value
IPv4 Prefix 10
IPv4 Prefix Length 8
IPv6 Prefix 2001:8:4:1
IPv6 Prefix Length 64

Task summary

Before you configure a 6rd network, ensure that you have licensed and provisioned CGNAT on the BIG-IP® system. Also, the BIG-IP system must have an IPv6 address and an IPv6 default gateway.

Task list

Using a profile to define a 6rd domain

You must create a new v6rd profile to specify the parameters for a 6rd tunnel. The system-supplied v6rd profile, v6rd provides the defaults, but does not suffice as a 6rd profile, as configured. For example, the required 6rd prefix is not specified.
  1. On the Main tab, click Network > Tunnels > Profiles > v6rd > Create .
    The New 6RD Profile screen opens.
  2. In the Name field, type a unique name for the profile.
  3. Select the Custom check box.
  4. For the IPv4 Prefix setting, type the IPv4 prefix that is assumed to be the customer edge (CE) device's IPv4 address, which is not included in the customer's IPv6 6rd prefix. A value of 0.0.0.0 indicates that all 32 bits of the CE's IPv4 address are to be extracted from its 6rd IPv6 prefix.
    Note: If you do not provide an IPv4 prefix, the system derives it from the tunnel local address you specify when creating the tunnel.
  5. For the IPv4 Prefix Length setting, type the number of identical high-order bits shared by all CE and BR IPv4 addresses in the 6rd domain you are configuring.
  6. For the 6rd Prefix setting, type the IPv6 prefix for the 6rd domain you are configuring.
  7. For the 6rd Prefix Length setting, type the length of the IPv6 prefix for the 6rd domain you are configuring.
  8. Click Finished.
To apply this profile to traffic, you must associate it with a tunnel.

Configuring a BIG-IP system as a border relay (BR) device

Before creating a 6rd tunnel on a BIG-IP® system, you must have configured a v6rd tunnel profile.
You can create a 6rd tunnel on a BIG-IP® system to carry IPv6 traffic over an IPv4 network, allowing your users to seamlessly access the IPv6 Internet.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create or Carrier Grade NAT > Tunnels > Create .
    The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Profile list, select v6rd.
  4. In the Local Address field, type the IPv4 address of the BIG-IP device you are configuring.
  5. For the Remote Address list, retain the default selection, Any.
  6. Click Finished.
After you create the 6rd tunnel at the BR, you must configure your network routing to send remote traffic through the tunnel.

Creating a forwarding virtual server for a tunnel

You can create a forwarding virtual server to intercept IP traffic and direct it to a tunnel.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Forwarding (IP).
  5. In the Destination Address field, type ::/0 to accept any IPv6 traffic.
  6. In the Service Port field, type * or select * All Ports from the list.
  7. From the Protocol list, select * All Protocols.
  8. Click Finished.
Now that you have created a virtual server to intercept the IP traffic, you need to create a route to direct this traffic to the tunnel interface.

Assigning a self IP address to an IP tunnel endpoint

Ensure that you have created an IP tunnel before starting this task.
Self IP addresses can enable the BIG-IP® system, and other devices on the network, to route application traffic through the associated tunnel, similar to routing through VLANs and VLAN groups.
Note: If the other side of the tunnel needs to be reachable, make sure the self IP addresses that you assign to both sides of the tunnel are in the same subnet.
  1. On the Main tab, click Network > Self IPs .
  2. Click Create.
    The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP address.
  4. In the IP Address field, type the IP address of the tunnel.
    The system accepts IPv4 and IPv6 addresses.
    Note: This is not the same as the IP address of the tunnel local endpoint.
  5. In the Netmask field, type the network mask for the specified IP address.

    For example, you can type 255.255.255.0.

  6. From the VLAN/Tunnel list, select the tunnel with which to associate this self IP address.
  7. Click Finished.
    The screen refreshes, and displays the new self IP address.
Assigning a self IP to a tunnel ensures that the tunnel appears as a resource for routing traffic.
To direct traffic through the tunnel, add a route for which you specify the tunnel as the resource.

Routing traffic through a 6rd tunnel interface

Before starting this task, ensure that you have created a 6rd tunnel, and have assigned a self IP address to the tunnel.
You can route traffic through a tunnel interface, much like you use a VLAN or VLAN group.
  1. On the Main tab, click Network > Routes .
  2. Click Add.
    The New Route screen opens.
  3. In the Name field, type a unique user name.
    This name can be any combination of alphanumeric characters, including an IP address.
  4. In the Destination field, type the 6rd IPv6 network address.
  5. In the Netmask field, type the network mask for the destination IP address.
  6. From the Resource list, select Use VLAN/Tunnel.
  7. From the VLAN/Tunnel list, select the name of the v6rd tunnel you created.
  8. Click Finished.
The system now routes traffic destined for the IP address you specified through the tunnel you selected.

Overview: MAP configuration on BIG-IP systems

Mapping of Address and Port (MAP) is an IPv4 to IPv6 transition technology. The BIG-IP® system plays the role of the border relay (BR) in a MAP deployment. At the time of this writing, the implementation of MAP on the BIG-IP system complies with the IETF Standards Track draft Mapping of Address and Port with Encapsulation (MAP) draft-ietf-software-map-10.

Note: You must configure the customer edge (CE) functionality of the MAP solution on the CE device, not on the BIG-IP system.

This illustration shows the position of a BIG-IP system in a MAP configuration. As the BR device, the BIG-IP system decapsulates the encapsulated IPv6 traffic and forwards it to the public IPv4 Internet.

Example of MAP configuration

Example of a MAP configuration

About Mapping of Address and Port (MAP)

MAP is a deterministic algorithm that uses MAP-domain configuration information to map between IPv4 and IPv6 addresses to transport IPv4 traffic over the IPv6 infrastructure. MAP is nearly stateless, and it does not require the border relay (BR) device to perform NAT on the traffic. Instead, the translation of private to public IPv4 addresses is delegated to the customer edge (CE) devices, such as customer-premises equipment (CPEs). Mapping of Address and Port (MAP) uses a port mapping algorithm to provide IPv4 connectivity over an IPv6 network. The MAP implementation has two variants, which share the same architecture.
  • MAP-E (Encapsulated), which uses the IPv4-in-IPv6 tunneling approach, is on the IETF standards track, and is now referred to as simply MAP.
  • MAP-T (Translated), which uses the IPv4-from/to-IPv6 address translation approach, is on the IETF experimental track. MAP-T is not supported on the BIG-IP® system in this release.

Both MAP and MAP-T assume that the service provider internal network has already been migrated to IPv6, but the CE is still running dual stack. IPv6 subscribers behind the CE can use regular addressing methods to reach the public IPv6 Internet. MAP focuses on how the CEs should forward IPv4 subscriber traffic to and from the Internet.

About Mapping of Address and Port with Translation (MAP-T)

In a MAP-T deployment, the customer edge (CE) device implements a combination of stateful NAPT44 translation and stateless MAP translation, using source IPv4 address and port number, to forward IPv4 traffic across the upstream IPv6 network. The BR (border relay) is responsible for connecting one or more MAP domains to external IPv4 networks. It converts the inbound IPv6 packet from the CEs back to NAT'd IPv4, using the corresponding MAP configurations.

Note: MAP-T is not supported on the BIG-IP® system in this release.

About Mapping of Address and Port with Encapsulation (MAP)

In a MAP (formerly MAP-E) deployment, the customer edge (CE) device implements a combination of NAPT44 followed by IPv4-in-IPv6 encapsulation. The source IPv6 address of the encapsulating header is derived from the source IPv4 address and port number, according to MAP configurations. At the border relay (BR), the IPv6 traffic is decapsulated to recover the NAT'd IPv4 packet, which the system then forwards to the Internet.

The MAP CE devices and BRs form a MAP domain. The MAP domain is defined by the algorithms and parameters for mapping IPv4 address and port numbers to a subscriber. All CE nodes within the same MAP domain must use the same subnet ID, as configured in the ip4-prefix attribute of the BR configuration, to correctly synthesize the MAP IPv6 address.

MAP relies on port sharing, which means that it supports only ICMP and port-based transport protocols. This excludes PPTP (which uses GRE) and any transports other than TCP, UDP, or ICMP. Because the port sharing ratio and IPv6 prefix are mathematically interdependent, you must correctly size your IPv6 network to ensure that your implementation of MAP accommodates enough subscribers.

The BR handles traffic between itself and a given MAP domain, which means that it has at least one IPv4 interface and one IPv6 interface. Its job is to aggregate the MAP tunnels. Within the MAP Domain, IPv4 traffic follows IPv6 routing, and the BR is reachable using IPv6 anycast addressing for load balancing and resiliency.

The port set ID (PSID) algorithmically represents different groups of non-overlapping, contiguous L4 ports that a CE device can use for port translation, allowing different CE devices to share the same source IPV4 address. As an anti-spoofing measure, the PSID is embedded within the IPv6 address for validation at the BR.

A MAP Domain encapsulates and decapsulates IPv4 traffic using a Basic Mapping Rule (BMR) specified in the MAP draft. The objective of a BMR is to provision a source IPv6 address that generates sets of source IPv4 translation endpoints. The embedded address (EA) bits serve to uniquely identify these endpoints.
  • The BMR enables the CE to provision multiple sets of IPv4 ports (NAT pools) for subscribers to use.
  • The BMR allows the CE to construct the associated upstream source MAP IPv6 address;
  • The BMR must be applied consistently to all CEs and BRs within a given MAP domain.

Due to the deterministic mapping of IPv4 address and port numbers to subscribers, MAP may originate tunnels heading toward subscribers given the IPv4 flow information.

Task summary

Before you configure the BIG-IP® system as a BR device for a MAP domain, ensure that you have licensed and provisioned CGNAT on the BIG-IP system. Also, the BIG-IP system must have an IPv6 self IP address, an IPv6 default gateway, and an IPv4 self IP address on the side of the BIG-IP system that faces the Internet.

Make sure that the CE devices are configured for MAP. For instructions on configuring a CE device, consult the manufacturer's documentation.

Task list

Using a profile to define a MAP domain

You must create a new MAP profile to specify the parameters for a MAP tunnel, by customizing the system-supplied MAP profile, map.
  1. On the Main tab, click Network > Tunnels > Profiles > MAP > Create .
    The New MAP Profile screen opens.
  2. In the Name field, type a unique name for the profile.
  3. From the Parent Profile list, select map.
  4. Select the Custom check box.
  5. For the IPv6 Prefix setting, type the IPv6 prefix of the MAP domain.
  6. For the IPv4 Prefix setting, type the IPv4 prefix of the MAP domain.
  7. For the Embedded Address Bits Length setting, type the length, in bits, of the Embedded Address (EA) of the MAP domain.
  8. For the Port Offset setting, type the length, in bits, of the port offset of the MAP domain.
    This value must be less than 16.
  9. Click Finished.
The MAP profile you created now appears in the Encapsulation Type list on the New Tunnel and Tunnel Properties screens.

Configuring a tunnel for Mapping Address and Port

Before creating a MAP tunnel on a BIG-IP® system, you must have configured a MAP tunnel profile.
You create a MAP tunnel on a BIG-IP® system to carry IPv4 traffic over an IPv6 network, allowing users to seamlessly access the IPv4 Internet.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create , or Carrier Grade NAT > Tunnels > Create
    The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Profile list, select the MAP profile you created previously.
  4. In the Local Address field, type the IPv6 address of the local BIG-IP device.
  5. For the Remote Address list, retain the default selection, Any.
  6. Click Finished.
After you create a MAP tunnel, you must create two virtual servers to forward IPv4 and IPv6 traffic.

Creating a forwarding virtual server for IPv4 traffic

After you configure a MAP tunnel to transport IPv4 traffic over an IPv6 network, you need to create a virtual server to intercept the IPv4 traffic and forward the packets to their destinations.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Forwarding (IP).
  5. In the Destination Address field, type 0.0.0.0/0 to accept any IPv4 traffic.
  6. Click Finished.

Creating a forwarding virtual server for IPv6 traffic

After you configure a MAP tunnel to transport IPv4 and IPv6 traffic over an IPv6 network, you need to create a virtual server to intercept the IPv6 traffic and forward the packets to their destinations.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Forwarding (IP).
  5. In the Destination Address field, type ::/0 to accept any IPv6 traffic.
  6. Click Finished.

Assigning a self IP address to a MAP tunnel endpoint

Before starting this task, ensure that you have created a MAP tunnel.
Self IP addresses can enable the BIG-IP® system, and other devices on the network, to route application traffic through the associated tunnel, similar to routing through VLANs and VLAN groups. If you specify a public IPv4 address in the same range as the CE devices, the system automatically creates a connected route on the BIG-IP platform, which can be used to route back IPv4 traffic to this MAP domain. The alternative is to add a static route manually.
  1. On the Main tab, click Network > Self IPs .
  2. Click Create.
    The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP address.
  4. In the IP Address field, type the IPv4 address of the tunnel, which is an IP address that belongs to the network of the CE devices.
    Note: This is not the same as the IP address of the tunnel local endpoint.
  5. In the Netmask field, type the network mask for the specified IP address.
  6. From the VLAN/Tunnel list, select the tunnel with which to associate this self IP address.
  7. Click Finished.
    The screen refreshes, and displays the new self IP address.

Assigning a self IP address to a tunnel ensures that the tunnel appears as a resource for routing traffic. This screen snippet shows a sample list of the self IP addresses required on the BIG-IP system for a MAP configuration, including the self IP address of the tunnel.

Self IP addresses required for a MAP configuration

Self IP addresses required for a MAP configuration

  • The External self IP address is an IPv4 address on the side of the BIG-IP system that faces the Internet.
  • The Internal self IP address is an IPv6 address on the BIG-IP system, which is configured as a BR device.
  • The Tunnel self IP address is the one you just created in this task.

Viewing MAP tunnel statistics

Using the tmsh command-line interface, you can view statistics to help you diagnose issues with MAP tunnels.
  1. Access the tmsh command-line utility.
  2. Type this command at the prompt.
    tmsh show net tunnels map profile

This example shows the statistics displayed for the MAP tunnel using the profile map-profile.

MAP tunnel statistics

  • Spoof Packets: The number of IPv4 packets that fail MAP self-consistency checks.
  • Misdirected Packets: The number of IPv4 packets sent to the wrong MAP domain or wrong protocol number.
  • Address Sharing Ratio: The number of users sharing one IP address.
  • Ports per user: The number of ports each user behind the CE can use.

Overview: Lightweight 4over6 Configuration on BIG-IP systems

Lightweight 4over6 (lw4o6) functionality is an IPv4 to IPv6 transition technology that provides IPv4 service over an IPv6-only network. A lw4o6 configuration refines DS-Lite functionality to reduce the network address and port translation (NAPT) states in a service provider's network. In a lw4o6 configuration, lwB4 customer edge (CE) devices, provisioned with a public IP address and a port set, perform NAPT, as well as encapsulation and decapsulation.The implementation of lw4o6 on the BIG-IP system complies with RFC 7596.

Note: You must configure the CE functionality of the lw4o6 solution on the CE device, not on the BIG-IP system.

A lw4o6 configuration includes the following components.

  • lwB4. Provides NAPT, as well as encapsulation and decapsulation of IPv4 and IPv6. Each lwB4 must be provisioned with a public IPv4 address and port set, restricting the external ports used by NAPT to source packets.
  • lwAFTR. Encapsulates and decapsulates IPv4 and IPv6. It also forwards incoming packets to the applicable lwB4, and forwards outgoing packets to the IPv4 network.
  • Provisioning. Configures the lwB4 with the public IPv4 address and port set.

This illustration shows the position of a BIG-IP system in a lw4o6 configuration. The BIG-IP system decapsulates the encapsulated IPv6 traffic and forwards it to the public IPv4 Internet.

Illustration of a lw4o6 deployment

In this example, a service provider transports encapsulated IPv4 traffic over its IPv6 network.

Example of a lw4o6 configuration

Example of a lw4o6 configuration

Task summary

Before you configure the BIG-IP® system for a lw4o6 domain, ensure that you have licensed CGNAT on the BIG-IP system. Also, the BIG-IP system must have an IPv6 self IP address, an IPv6 default gateway, and an IPv4 self IP address on the side of the BIG-IP system that faces the Internet.

Make sure that the CE devices are configured for lw4o6. For instructions on configuring a CE device, consult the manufacturer's documentation.

Task list

Importing a lw4o6 table

Using the BIG-IP ®Configuration utility, you can import a lw4o6 file from another system to use when creating a lw4o6 profile.
  1. On the Main tab, click System > File Management > lw4o6 Tables > Import .
  2. Browse for the file and click Open.
    The name of the file you select appears in the File Name setting.
  3. In the Name field, type a new name for the file, such as lwtunneltbl.
  4. Click the Import button.
    The new name appears in the list of imported files.
After importing a lw4o6 file onto the system, you must create a lw4o6 profile, specifying the lw4o6 file that you imported.

Using a profile to define a lw4o6 domain

You must create a new lw4o6 profile to specify the parameters for a lw4o6 tunnel, by customizing the system-supplied lw4o6 profile, lw4o6.
  1. On the Main tab, click Network > Tunnels > Profiles > lw4o6 > Create , or Carrier Grade NAT > Tunnel Profiles > lw4o6 .
    The New lw4o6 Profile screen opens.
  2. In the Name field, type a unique name for the profile.
  3. From the Parent Profile list, select lw4o6.
  4. From the lw4o6 Table list, select a table.
  5. In the PSID Length field, type a value for the port set identifier.
    Note: Specifying a PSID Length value for the port set identifier allows only TCP, UDP, or ICMP traffic to pass through the lw4o6 tunnel. You can, however, specify a PSID Length value of 0 and select the Pass All Protocols check box to pass through all IP sub-protocols.
  6. Select the Pass All Protocols check box (which requires a PSID Length value of 0) to pass through all IP sub-protocols.
    Note: If you specify a PSID Length value other than 0, the Pass All Protocols check box is cleared to allow only TCP, UDP, or ICMP traffic to pass through the lw4o6 tunnel.
  7. Click Finished.
The lw4o6 profile you created now appears in the Profiles list on the New Tunnel screens.

Configuring a tunnel for lw4o6

Before creating a lw4o6 tunnel on a BIG-IP® system, you must have configured a lw4o6 tunnel profile.
You create a lw4o6 tunnel on a BIG-IP® system to carry IPv4 traffic over an IPv6 network, allowing users to seamlessly access the IPv4 Internet.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create or Carrier Grade NAT > Tunnels > Create .
    The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Profile list, select lw4o6 or the lw4o6 profile you created previously.
  4. In the Local Address field, type the IPv6 address of the local BIG-IP device.
  5. For the Remote Address list, retain the default selection, Any.
  6. Click Finished.
After you create a lw4o6 tunnel, you must create a virtual server to forward IPv4 traffic.

Creating a forwarding virtual server for IPv4 traffic

After you configure a lw4o6 tunnel to transport IPv4 traffic over an IPv6 network, you need to create a virtual server to intercept the IPv4 traffic and forward the packets to their destinations.

  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Forwarding (IP).
  5. In the Destination Address field, type 0.0.0.0/0 to accept any IPv4 traffic.
  6. Click Finished.

Assigning a self IP address to a lw4o6 tunnel endpoint

Before starting this task, ensure that you have created a lw4o6 tunnel.
Self IP addresses can enable the BIG-IP® system, and other devices on the network, to route application traffic through the associated tunnel, similar to routing through VLANs and VLAN groups. If you specify a public IPv4 address in the same range as the CE devices, the system automatically creates a connected route on the BIG-IP platform, which can be used to route back IPv4 traffic to this lw4o6 domain. The alternative is to add a static route manually.
  1. On the Main tab, click Network > Self IPs .
  2. Click Create.
    The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP address.
  4. In the IP Address field, type the IPv4 address of the tunnel, which is an IP address that belongs to the network of the CE devices.
    Note: This is not the same as the IP address of the tunnel local endpoint.
  5. In the Netmask field, type the network mask for the specified IP address.
  6. From the VLAN/Tunnel list, select the tunnel with which to associate this self IP address.
  7. Click Finished.
    The screen refreshes, and displays the new self IP address.

Assigning a self IP address to a tunnel ensures that the tunnel appears as a resource for routing traffic.

  • The External self IP address is an IPv4 address on the side of the BIG-IP system that faces the Internet.
  • The Internal self IP address is an IPv6 address on the BIG-IP system.
  • The Tunnel self IP address is the one you just created in this task.

Viewing lw4o6 tunnel statistics

Using the tmsh command-line interface, you can view statistics to help you diagnose issues with lw4o6 tunnels.
  1. Access the tmsh command-line utility.
  2. Type this command at the prompt.
    tmsh show net tunnels lw4o6 lw4o6_profile

The screen displays lw4o6 tunnel statistics for the specified lw4o6 profile.

IPFIX Templates for CGNAT Events

Overview: IPFIX logging templates

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX information elements (IEs) and templates used to log the F5 CGNAT events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the establishment of an inbound NAT64 session.

IPFIX information elements for CGNAT events

Information elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single CGNAT event. These tables list all the IEs used in F5 CGNAT events, and differentiate IEs defined by IANA from IEs defined by F5 products.

IANA-Defined IPFIX information elements

Information Elements

IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier, at http://www.iana.org/assignments/ipfix/ipfix.xml. The F5 CGNAT implementation uses a subset of these IEs to publish CGNAT events. This subset is summarized in the table below. Please refer to the IANA site for the official description of each field.

Information Element (IE) ID Size (Bytes)
destinationIPv4Address 12 4
destinationTransportPort 11 2
egressVRFID 235 4
flowDurationMilliseconds 161 4
flowStartMilliseconds 152 8
ingressVRFID 234 4
natEvent 230 1
natOriginatingAddressRealm 229 1
natPoolName 284 Variable
observationTimeMilliseconds 323 8
portRangeEnd 362 2
portRangeStart 361 2
postNAPTDestinationTransportPort 228 2
postNAPTSourceTransportPort 227 2
postNATDestinationIPv4Address 226 4
postNATDestinationIPv6Address 282 16
postNATSourceIPv4Address 225 4
protocolIdentifier 4 1
sourceIPv4Address 8 4
sourceIPv6Address 27 16
sourceTransportPort 7 2
Note: IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

IPFIX enterprise information elements

Description

IPFIX provides specifications for enterprises to define their own Information Elements. F5 currently does not use any non-standard IEs for CGNAT Events.

Individual IPFIX templates for each event

These tables specify the IPFIX templates used by F5 to publish CGNAT Events.

Each template contains a natEvent information element (IE). This element is currently defined by IANA to contain values of 1 (Create Event), 2 (Delete Event) and 3 (Pool Exhausted). In the future, it is possible that IANA will standardize additional values to distinguish between NAT44 and NAT64 events, and to allow for additional types of NAT events. For example, the http://datatracker.ietf.org/doc/draft-ietf-behave-ipfix-nat-logging Internet Draft proposes additional values for this IE for such events.

F5 uses the standard Create and Delete natEvent values in its IPFIX Data Records, rather than new (non-standard) specific values for NAT44 Create, NAT64 Create, and so on.

You can infer the semantics of each template (for example, whether or not the template applies to NAT44 Create, NAT64 Create, or DS-Lite Create) from the template's contents rather than from distinct values in the natEvent IE.

F5 CGNAT might generate different variants of NAT Session Create/Delete events, to cater to customer requirements such as the need to publish destination address information, or to specifically omit such information. Each variant has a distinct template.

The “Pool Exhausted” natEvent value is insufficiently descriptive to cover the possible NAT failure cases. Therefore, pending future updates to the natEvent Information Element, F5 uses some non-standard values to cover the following cases:

  • 10 – Translation Failure
  • 11 – Session Quota Exceeded
  • 12 – Port Quota Exceeded
  • 13 - Port Block Allocated
  • 14 - Port Block Released
  • 15 - Port Block Allocation (PBA) Client Block Limit Exceeded
  • 16 - PBA Port Quota Exceeded

The following tables enumerate and define the IPFIX templates, and include the possible natEvent values for each template.

NAT44 session create – outbound variant

Description

This event is generated when a NAT44 client session is received from the subscriber side and the LSN process successfully translates the source address/port.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv4Address 8 4  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 1 (for Create event).

NAT44 session delete – outbound variant

Description

This event is generated when a NAT44 client session is received from the subscriber side and the LSN process finishes the session.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv4Address 8 4  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

NAT44 session create – inbound variant

Description

This event is generated when an inbound NAT44 client session is received from the internet side and connects to a client on the subscriber side.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv4Address 226 4  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 1 (for Create event).

NAT44 session delete – inbound variant

Description

This event is generated when an inbound NAT44 client session is received from the internet side and connects to a client on the subscriber side. This event is the deletion of the inbound connection.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv4Address 226 4  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

NAT44 translation failed

Description

This event reports a NAT44 Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natEvent 230 1 10 for Transmission Failed.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

NAT44 quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT44 translation.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
natEvent 230 1 11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

NAT44 port block allocated or released

Description

This event is generated when the BIG-IP software allocates or releases a block of ports for a NAT44 client. The event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it only issues an IPFIX log for every block of CGNAT translations. This reduces IPFIX traffic for CGNAT.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The egress routing-domain ID.
sourceIPv4Address 8 4  
postNATSourceIPv4Address 225 4  
portRangeStart 361 2  
portRangeEnd 362 2  
natEvent 230 1 13 for PBA, block Allocated, 14 for PBA, block released.

NAT64 session create – outbound variant

Description

This event is generated when a NAT64 client session is received from the subscriber side and the LSN process successfully translates the source address/port.

Note: The destinationIPv6Address is not reported, since the postNATdestinationIPv4Address value is derived algorithmically from the IPv6 representation in destinationIPv6Address, as specified in RFC 6146 and RFC 6502.
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv6Address 27 16  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
postNATDestinationIPv4Address 226 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 1 (for Create event).

NAT64 session delete – outbound variant

Description

This event is generated when a NAT64 client session is received from the subscriber side and the LSN process finishes the outbound session.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv6Address 27 16  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
postNATDestinationIPv4Address 226 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

NAT64 session create – inbound variant

Description

This event is generated when a client session comes in from the internet side and successfully connects to a NAT64 client on the subscriber side.

Note: postNATSourceIPv6Address is not reported since this value can be derived algorithmically from by appending the well-known NAT64 prefix 64:ff9b:: to sourceIPv4Address.
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv6Address 282 16  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 1 (for Create event).

NAT64 session delete – inbound variant

Description

This event is generated when a client session comes in from the internet side and successfully connects to a NAT64 client on the subscriber side. This event is the deletion of the inbound connection.

Note: postNATSourceIPv6Address is not reported since this value can be derived algorithmically from by appending the well-known NAT64 prefix 64:ff9b:: to sourceIPv4Address.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv6Address 282 16  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

NAT64 translation failed

Description

This event reports a NAT64 Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv6Address 27 16  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natEvent 230 1 10 for Transmission Failed.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

NAT64 quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT64 translation.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv6Address 27 16  
natEvent 230 1 11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

NAT64 port block allocated or released

Description

This event is generated when the BIG-IP software allocates or releases a block of ports for a NAT64 client. The event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it only issues an IPFIX log for every block of CGNAT translations. This reduces IPFIX traffic for CGNAT.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The egress routing-domain ID.
sourceIPv6Address 27 16  
postNATSourceIPv4Address 225 4  
portRangeStart 361 2  
portRangeEnd 362 2  
natEvent 230 1 13 for PBA, block Allocated, 14 for PBA, block released.

DS-Lite session create – outbound variant

Description

This event is generated when a DS-Lite client session is received on the subscriber side and the LSN process successfully translates the source address/port. The client's DS-Lite IPv6 remote endpoint address is reported using IE lsnDsLiteRemoteV6asSource.

Note: The sourceIPv6Address stores different information in this template from the equivalent NAT64 template. In the NAT64 create and delete templates, sourceIPv6Address holds the client's IPv6 address. In this DS-Lite template, it holds the remote endpoint address of the DS-Lite tunnel.
Note: The VRFID (or routing domain ID) for the DS-Lite tunnel is not currently provided; this attribute may be added in the future.
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv4Address 8 4  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
sourceIPv6Address 27 16 DS-Lite remote endpoint IPv6 address.
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 1 (for Create event).

DS-Lite session delete – outbound variant

Description

This event is generated when a DS-Lite client session is received from the subscriber side and the LSN process finishes with the outbound session.

Note: The sourceIPv6Address stores different information in this template from the equivalent NAT64 template. In the NAT64 create and delete templates, sourceIPv6Address holds the client's IPv6 address. In this DS-Lite template, it holds the remote endpoint address of the DS-Lite tunnel.
Note: The VRFID (or routing domain ID) for the DS-Lite tunnel is not currently provided; this attribute may be added in the future.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv4Address 8 4  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
sourceIPv6Address 27 16 DS-Lite remote endpoint IPv6 address.
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

DS-Lite session create – inbound variant

Description

This event is generated when an inbound client session comes in from the internet side and connects to a DS-Lite client on the subscriber side.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv6Address 282 16 DS-Lite remote endpoint IPv6 address.
postNATDestinationIPv4Address 226 4  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 1 (for Create event).

DS-Lite session delete – inbound variant

Description

This event is generated when an inbound client session comes in from the internet side and connects to a DS-Lite client on the subscriber side. This event marks the end of the inbound connection, when the connection is deleted.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv6Address 282 16  
postNATDestinationIPv4Address 226 4  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

DS-Lite translation failed

Description

This event reports a DS-Lite Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv4Address 8 4 IPv4 address used by F5 CGNAT in the IPv4-mapped IPv6 format, for the DS-Lite tunnel terminated on the BIG-IP.
protocolIdentifier 4 1  
sourceTransportPort 7 2  
sourceIPv6Address 27 16 IPv6 address for remote endpoint of the DS-Lite tunnel.
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natEvent 230 1 10 for Transmission Failed.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

DS-Lite quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT translation in a DS-Lite context.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
sourceIPv6Address 27 16 DS-Lite remote endpoint IPv6 address.
natEvent 230 1 11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

DS-Lite port block allocated or released

Description

This event is generated when the BIG-IP software allocates or releases a block of ports for a DS-Lite client. This event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it issues an IPFIX log for every block of CGNAT translations rather than each individual translation. This reduces IPFIX traffic for CGNAT.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The egress routing-domain ID.
sourceIPv6Address 27 16  
postNATSourceIPv4Address 225 4  
portRangeStart 361 2  
portRangeEnd 362 2  
natEvent 230 1 13 for PBA, block Allocated, 14 for PBA, block released.

CGNAT Log Format Reference

Overview: CGNAT log formats

Carrier Grade Network Address Translation (CGNAT) log formats are specific to the type of logging used, for example, high-speed logging (HSL) or Splunk.

Log field descriptions

This topic lists the available log fields and provides a description of each.

Table 1. Log field descriptions
Log field Description
bigip_hostname BIG-IP hostname.
bigip_mgmt_ip_address BIG-IP management IP address.
bigip_software_version BIG-IP software version. An example format is 11.4.0.132.0.
client_ipv4_address Client IPV4 address.
client_ipv6_address Client IPV6 address(IPV6 or NAT64 client).
client_port Client TCP/UDP port.
client_rtdomid Client route domain ID.
date_time Date and time. An example format is Apr 04 2013 08:13:26.
destination_address Client's destination IPV4/IPV6 address.
destination_port Client's port.
dslite_ipv6_remote_ip DS-Lite remote end point.
dslite_rtdomid DS-Lite tunnel route domain ID.
duration Duration of the translation (in ms).
egress_rtdomid Route domain ID of the egress interface.
end End time.
errdefs_msgno TMM internal value.
errdefs_msg_name TMM internal value.
internet_client_ipv4_address IP address of the inbound client connections from the internet.
internet_client_rtdomid Route domain ID of the inbound client connecting from the internet.
lsn_address IPV4/IPV6 translation address.
lsn_dnat_log_version DNAT log version.
lsn_dnat_port_range_min LSN pool translation port range low value.
lsn_dnat_port_range_max LSN pool translation port range high value.
lsn_dnat_prefix_list List of LSN pool translation prefixes.
lsn_dnat_source_list List of all the virtual server source prefixes that are attached to this lsn pool.
lsn_dnat_state DNAT algorithm internal state.
lsn_dnat_dag_id LSN Deterministic NAT libdag identifier.
lsn_port TCP/UDP translation port.
lsn_rtdomid Translation address route domain ID.
lsn_result Reason for translation failure.
lsn_pool_name LSN pool name with complete path. For example, /Common/lsnp1.
protocol UDP, TCP, or ICMP.
sa_trans_pool Source Address Translation Pool name, for example, SNAT pool, LSN, or Automap.
start The unixtime for the start of the translation.
timestamp Unix time, always in UTC.
tmm_daglib_state TMM DAG library state.

BIG-IP version 11.3.0 and 11.4.0 log reference

This reference content describes the logging format specific to BIG-IP software version 11.3.0 and 11.4.0.

This release provides the following logging changes:

  • CGNAT HSL and Splunk logging introduced in 11.3.0, unchanged in 11.4.0.
Table 2. BIG-IP version 11.3.0 and 11.4.0 log reference
Log Message Type Format
NAT44 session create HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"

Splunk

lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

NAT64 session create HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"

Splunk

lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

DSLITE session create HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>""<dslite_ipv6_remote_ip>%<dslite_rtdomid>"

Splunk

lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

NAT44/NAT64/DSLITE Translation failed HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"

DNAT config HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>"

DNAT session delete

HSL

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"

Splunk

lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

BIG-IP 11.3.0 and 11.4.0 log formats

This reference content describes the log format changes specific to BIG-IP® software versions 11.3.0 and 11.4.0.

This release introduces CGNAT high-speed logging (HSL) and Splunk logging.

Table 3. NAT44 session create
Type Format
HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"

Splunk

lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

Note: IPFIX is not implemented for NAT44 session create.
Table 4. NAT64 session create
Type Format
HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"

Splunk

lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

Note: IPFIX is not implemented for NAT64 session create.
Table 5. DSLITE session create
Type Format
HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>""<dslite_ipv6_remote_ip>%<dslite_rtdomid>"

Splunk

lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

Note: IPFIX is not implemented for DSLITE session create.
Table 6. NAT44/NAT64/DSLITE Translation failed
Type Format
HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"

Note: IPFIX is not implemented for NAT44/NAT64/DSLITE Translation failed.
Table 7. DNAT config
Type Format
HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>"

Note: IPFIX is not implemented for DNAT config.
Table 8. DNAT session delete
Type Format
HSL

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"

Splunk

lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

LTM log

DNAT connection: dnat: start=<start time in secs> end=<end time in secs> server=<destination_address>,<destination_port> local=<lsn_address>,<lsn_port> proto=<protocol_id> client=<client_ipv4_address>

Note: IPFIX is not implemented for DNAT session delete.

BIG-IP version 11.5.0 log reference

This reference content describes the logging format specific to BIG-IP software version 11.5.0.

This release provides the following logging changes:

  • IPFIX logging introduced, egress_rtdomid used in logs instead of lsn_rtdomid and following new logs were added
  • Log delete for NAT44/NAT64/DSLITE events
  • Log create/delete for inbound connections
  • Log quota exceeded events
  • Log outbound create/delete with destination address/port
  • Log start-time/duration in delete for outbounds
Table 9. BIG-IP version 11.5.0 log reference
Log Message Type Format
NAT44 session create HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>"

NAT44 session delete HSL

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",duration="<duration>"

NAT44 session create (with log.lsn.session.destination enabled) HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>"

NAT44 session delete (with log.lsn.session.destination enabled) HSL

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT44 inbound session create HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"

NAT44 inbound session delete HSL

"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"

NAT64 session create HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"

NAT64 session delete HSL

"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT64 session create (with log.lsn.session.destination enabled)

HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"

NAT64 session delete (with log.lsn.session.destination enabled)

HSL

"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT64 inbound session create HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"

NAT64 inbound session delete HSL

"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"

DSLITE session create HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

DSLITE session delete HSL

"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"

DSLITE session create (with log.lsn.session.destination enabled)

HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

DSLITE session delete (with log.lsn.session.destination enabled)

HSL

"LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"

DSLITE inbound session create HSL

"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

DSLITE inbound session delete HSL

"LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

Translation failed HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"

DNAT config HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"

DNAT session delete

HSL

"LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"

NAT44 client quota exceeded HSL

"LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT64 client quota exceeded HSL

"LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

DSLITE client quota exceeded HSL

"LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

BIG-IP 11.5.0 log formats

This reference content describes the log format changes specific to BIG-IP® software version 11.5.0.

This release includes the following changes:

  • Log delete for NAT44/NAT64/DSLITE events.
  • Log create/delete for inbound connections.
  • Log quota exceeded events.
  • Log outbound create/delete with destination address/port.
  • Log start-time/duration in delete for outbounds.
Table 10. NAT44 session create/delete format changes
Description Type Format
Without destination address/port HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>"

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>""duration"

With destination address/port HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>"

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>"

"<start>""<duration>"

Without destination address/port Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>"

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",

cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",duration="<duration>"

With destination address/port Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>"

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

Table 11. IPFIX Create
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The client routing domain ID.
egressVRFID 4 The LSN routing domain ID.
sourceIPv4Address 4  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTsourceTransportPort 2  
destinationIPv4Address 2 0, if obscured.
destinationTransportPort 2 0, if obscured.
natOriginatingAddressRealm 1 1 (Private/internal realm – Subscriber side).
natEvent 1 1 (Create Event) or 2 (Delete Event).
Table 12. IPFIX Delete
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The client routing domain ID.
egressVRFID 4 The LSN routing domain ID.
sourceIPv4Address 4  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTsourceTransportPort 2  
destinationIPv4Address 2 0, if obscured.
destinationTransportPort 2 0, if obscured.
natOriginatingAddressRealm 1 1 (Private/internal realm – Subscriber side).
natEvent 1 1 (Create Event) or 2 (Delete Event).
flowStartMilliseconds 8  
flowDurationMilliseconds 4  
Table 13. NAT44 inbound session create/delete format changes
Type Format
HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>"

"<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"

"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>"

"<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"

"<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",

cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"

Table 14. IPFIX
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The LSN routing domain ID.
egressVRFID 4 The client routing domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4  
postNATDestinationIPV4Address 4  
destinationTransportPort 2  
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (Public/external realm – Internet side).
natEvent 1 1 (Create Event) or 2 (Delete Event).
Table 15. NAT64 session create/delete
Description Type Format
Without destination address/port HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid>:<lsn_port>"

"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid>:<lsn_port>"

"<start>""<duration>""<start>""<duration>"

With destination address/port HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"

"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"

"<start>""<duration>"

Without destination address/port Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",

cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

With destination address/port Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",

cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"

,duration="<duration>"

Table 16. IPFIX Create
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The LSN routing domain ID.
egressVRFID 4 The client routing domain ID.
sourceIPv6Address 16  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTsourceTransportPort 2  
postNATDestinationIPV4Address 4 0, if obscured.
destinationTransportPort 2 0, if obscured.
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (Public/external realm – Internet side).
natEvent 1 1 (Create Event) or 2 (Delete Event).
Table 17. IPFIX Delete
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The LSN routing domain ID.
egressVRFID 4 The client routing domain ID.
sourceIPv6Address 16  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTsourceTransportPort 2  
postNATDestinationIPV4Address 4 0, if obscured.
destinationTransportPort 2 0, if obscured.
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (Public/external realm – Internet side).
natEvent 1 1 (Create Event) or 2 (Delete Event)
flowStartMilliseconds 8  
flowDurationMilliseconds 4  
Table 18. NAT64 inbound session create/delete format changes
Type Format
HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>"

"<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"

"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>"

"<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"

"<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",

cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"

Table 19. IPFIX
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The LSN routing domain ID.
egressVRFID 4 The client routing domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4  
postNATDestinationIPv6Address 16 0, if obscured.
destinationTransportPort 2  
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (Public/external realm – Internet side).
natEvent 1 1 (Create Event) or 2 (Delete Event).
Table 20. DSLITE session create/delete
Description Type Format
Without destination address/port HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid>:<lsn_port>"

"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid>:<lsn_port>" "<start>""<duration>"

With destination address/port HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"

"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" "<start>""<duration>"

Without destination address/port Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",

cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",

duration="<duration>"

With destination address/port Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",

cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"

Table 21. IPFIX Create
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The LSN routing domain ID.
egressVRFID 4 The client routing domain ID.
sourceIPv4Address 4  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTsourceTransportPort 2  
sourceIPv6Address 16 IPv6 address for remote endpoint of the DS-Lite tunnel.
destinationIPv4Address 4 0, if obscured.
destinationTransportPort 2  
natOriginatingAddressRealm 1 2 (Public/external realm – Internet side).
natEvent 1 1 (Create Event) or 2 (Delete Event).
Table 22. IPFIX Delete
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The LSN routing domain ID.
egressVRFID 4 The client routing domain ID.
sourceIPv4Address 4  
postNATSourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
postNAPTsourceTransportPort 2  
sourceIPv6Address 16 IPv6 address for remote endpoint of the DS-Lite tunnel.
destinationIPv4Address 4 0, if obscured.
destinationTransportPort 2  
natOriginatingAddressRealm 1 2 (Public/external realm – Internet side).
natEvent 1 1 (Create Event) or 2 (Delete Event).
flowStartMilliseconds 8  
flowDurationMilliseconds 4  
Table 23. DSLITE inbound session create/delete
Type Format
HSL

"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>""<lsn_port>"

"LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>""<lsn_port>"

"<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

Table 24. IPFIX Create
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The LSN routing domain ID.
egressVRFID 4 The client routing domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4  
postNATDestinationIPv6Address 16 DSLITE remote endpoint IPV6 address.
postNatDestinationIPv4Address 4  
destinationTransportPort 2  
postNAPTDestinationTransportPort 2  
natOriginatingAddressRealm 1 2 (Public/external realm – Internet side).
natEvent 1 1 (Create Event) or 2 (Delete Event).
Table 25. Translation failed
Type Format
HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"

Table 26. IPFIX
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The client routing domain ID.
sourceIPv4Address 4  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4 0, if obscured.
destinationTransportPort 2 0, if obscured.
natEvent 1 Translation failed.
natPoolName Variable This IE is omitted for NetFlow v9 compatible configurations.
Table 27. IPFIX
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The client routing domain ID.
sourceIPv6Address 16  
protocolIdentifier 1  
sourceTransportPort 2  
destinationIPv4Address 4 0, if obscured.
destinationTransportPort 2 0, if obscured.
natEvent 1 Translation failed.
natPoolName Variable This IE is omitted for NetFlow v9 compatible configurations.
Table 28. IPFIX
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The client routing domain ID.
sourceIPv4Address 4 IPv4 address used by F5 CGNAT in the IPv4-mapped IPv6 format, for the DS-Lite tunnel terminated on the BIG-IP.
protocolIdentifier 1  
sourceTransportPort 2  
sourceIPv6Address 16 IPv6 address for remote endpoint of the DS-Lite tunnel.
destinationIPv4Address 4 0, if obscured.
destinationTransportPort 2 0, if obscured.
natEvent 1 Translation failed.
natPoolName Variable This IE is omitted for NetFlow v9 compatible configurations.
Table 29. DNAT config
Type Format
HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"

Note: IPFIX is not implemented for DNAT configuration.
Table 30. DNAT session delete
Type Format
HSL

"LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"

LTM log

DNAT connection: dnat: start=<start time in secs> end=<end time in secs> server=<destination_address>,<destination_port> local=<lsn_address>,<lsn_port> proto=<protocol_id> client=<client_ipv4_address>

Note: IPFIX is not implemented for DNAT session delete.
Table 31. NAT44 client quota exceeded
Type Format
HSL

"LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>

Table 32. IPFIX
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The client routing domain ID.
sourceIPv4Address 4  
natEvent 1 Session Quota Exceeded/Port Quota Exceeded.
natPoolName Variable This IE is omitted for NetFlow v9 compatible configurations.
Table 33. NAT64 client quota exceeded
Type Description
HSL

"LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

lip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>

Table 34. IPFIX
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The client routing domain ID.
sourceIPv6Address 16  
natEvent 1 Session Quota Exceeded/Port Quota Exceeded.
natPoolName Variable This IE is omitted for NetFlow v9 compatible configurations.
Table 35. DSLITE client quota exceeded
Type Description
HSL

"LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

Table 36. IPFIX
Field Bytes Description
observationTimeMilliseconds 8  
ingressVRFID 4 The client routing domain ID.
sourceIPv4Address 4  
sourceIPv6Address 16 IPv6 address for remote endpoint of the DS-Lite tunnel.
natEvent 1 Session Quota Exceeded/Port Quota Exceeded
natPoolName Variable This IE is omitted for NetFlow v9 compatible configurations.

BIG-IP version 11.6.0 log reference

This reference content describes the logging format specific to BIG-IP software version 11.6.0.

This release provides the following logging changes:

  • PBA Logging introduced.
  • Added ports exhausted message for NAT44, NAT64, and DSLITE
  • Log for DNAT inbound connections on connection end
Table 37. BIG-IP version 11.6.0 log reference
Log Message Type Format
NAT44 session create HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>"

NAT44 session delete HSL

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",duration="<duration>"

NAT44 session create (with log.lsn.session.destination enabled) HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>"

NAT44 session delete (with log.lsn.session.destination enabled) HSL

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT44 inbound session create HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"

NAT44 inbound session delete HSL

"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"

NAT64 session create HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"

NAT64 session delete HSL

"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT64 session create (with log.lsn.session.destination enabled)

HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"

NAT64 session delete (with log.lsn.session.destination enabled)

HSL

"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT64 inbound session create HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"

NAT64 inbound session delete HSL

"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"

DSLITE session create HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

DSLITE session delete HSL

"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"

DSLITE session create (with log.lsn.session.destination enabled)

HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

DSLITE session delete (with log.lsn.session.destination enabled)

HSL

"LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"

DSLITE inbound session create HSL

"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

DSLITE inbound session delete HSL

"LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

Translation failed HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"

DNAT config HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"

DNAT session delete (on connection end, and inbound connection end)

HSL

"LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"

NAT44 client quota exceeded HSL

"LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT64 client quota exceeded HSL

"LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

DSLITE client quota exceeded HSL

"LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT44 Port-block allocated HSL

"LSN_PB_ALLOCATED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Splunk

lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

NAT44 Port-block released HSL

"LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Splunk

lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

NAT44 Client block limit reached HSL

"LSN_BLOCK_QUOTA_EXCEEDED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT44 Ports Exhausted HSL

"LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT64 Port-block allocated HSL

"LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Splunk

lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

NAT64 Port-block released HSL

"LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Splunk

lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

NAT64 Client block limit reached HSL

"LSN_BLOCK_QUOTA_EXCEEDED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT64 Ports Exhausted HSL

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

DSLITE Port-block allocated HSL

"LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Splunk

lsn_event="LSN_PB_ALLOCATED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

DSLITE Port-block released HSL

lsn_event="LSN_PB_ALLOCATED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Splunk

lsn_event="LSN_PB_RELEASED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

DSLITE Client block limit reached HSL

"LSN_BLOCK_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_BLOCK_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

DSLITE Ports Exhausted HSL

"LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

BIG-IP version 11.6.0 log formats

This reference content describes the log format changes specific to BIG-IP® software version 11.6.0.

This release includes log messages for the following translation modes:

Port Block Allocation (PBA)
Table 38. PBA log format changes
Message Type Format
Port block allocated HSL

NAT44: "LSN_PB_ALLOCATED"<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

NAT64: "LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

DSLITE: "LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Splunk

NAT44: lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

NAT64: lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

DSLITE: lsn_event="LSN_PB_ALLOCATED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Port-block released HSL

NAT44: "LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

NAT64: "LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

DSLITE: "LSN_PB_RELEASED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Splunk

NAT44: lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

NAT64: lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

DSLITE: lsn_event="LSN_PB_RELEASED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Client block limit reached HSL

NAT44: "LSN_BLOCK_QUOTA_EXCEEDED""<Client IPV4 address%rtdomid>:<Client port>""<LSN pool name>"

NAT64: "LSN_BLOCK_QUOTA_EXCEEDED""<Client IPV6 address%rtdomid>:<Client port>""<LSN pool name>"

DSLITE: "LSN_BLOCK_QUOTA_EXCEEDED""<DSLITE IPV6 address%rtdomid>""<Client IPV4 address%rtdomid>:<Client port>""<LSN pool name>"

Splunk

NAT44: lsn_event="LSN_BLOCK_QUOTA_EXCEEDED", cli="<Client IPV4 address%rtdomid>:<Client port>", sa_translation_pool="<LSN pool name>"

NAT64: lsn_event="LSN_BLOCK_QUOTA_EXCEEDED", cli="<Client IPV6 address%rtdomid>:<Client port>", sa_translation_pool="<LSN pool name>"

DSLITE: lsn_event="LSN_BLOCK_QUOTA_EXCEEDED", cli="<Client IPV6 address%rtdomid>:<Client port>", dslite="<DSLITE IPV6 address%rtdomid>" sa_translation_pool="<LSN pool name>"

Ports exhausted HSL

NAT44: "LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

NAT64: "LSN_PORTS_EXHAUSTED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

DSLITE: "LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

NAT44: ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT64: ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

DSLITE: ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

IPFIX
Table 39. NAT44 port-block allocated/released:
Field Size (Bytes) IANA IPFIX ID Description
timeStamp 8 323  
ingressVRFID 4 234 The client routing domain ID.
egressVRFID 4 235 The egress routing domain ID.
sourceIPv4Address 4 8 Not applicable
postNATSourceIPv4Address 4 225 Not applicable
PortRangeStart 2 361 Not applicable
PortRangeEnd 2 362 Not applicable
natEvent 1 230 13 for allocation. 14 for released.
Table 40. NAT64 port-block allocated/released:
Field Size (Bytes) IANA IPFIX ID Description
timeStamp 8 323  
ingressVRFID 4 234 The client routing domain ID.
egressVRFID 4 235 The egress routing domain ID.
sourceIPv4Address 16 8 Not applicable
postNATSourceIPv4Address 4 225 Not applicable
PortRangeStart 2 361 Not applicable
PortRangeEnd 2 362 Not applicable
natEvent 1 230 13 for allocation. 14 for released.
Table 41. DSLITE port-block allocated/released:
Field Size (Bytes) IANA IPFIX ID Description
timeStamp 8 323  
ingressVRFID 4 234 The client routing domain ID.
egressVRFID 4 235 The egress routing domain ID.
sourceIPv4Address 16 8 DSLITE remote endpoint address.
postNATSourceIPv4Address 4 235 Not applicable
PortRangeStart 2 361 Not applicable
PortRangeEnd 2 362 Not applicable
natEvent 1 230 13 for allocation. 14 for released.
Table 42. NAT44 client block limit reached OR ports exhausted:
Field Size (Bytes) IANA IPFIX ID Description
observationTimeMilliseconds 8 323  
ingressVRFID 4 234 The client routing domain ID.
sourceIPv4Address 4 8 The egress routing domain ID.
natEvent 1 230 Client block limit reached (15) or ports exhausted (16).
natPoolName Variable 284 This IE is omitted for NetFlow v9 compatible configurations.
Table 43. NAT64 client block limit reached OR ports exhausted:
Field Size (Bytes) IANA IPFIX ID Description
observationTimeMilliseconds 8 323  
ingressVRFID 4 234 The client routing domain ID.
sourceIPv4Address 16 27 The egress routing domain ID.
natEvent 1 230 Client block limit reached (15) or ports exhausted (16).
natPoolName Variable 284 This IE is omitted for NetFlow v9 compatible configurations.
Table 44. DSLITE client block limit reached OR ports exhausted:
Field Size (Bytes) IANA IPFIX ID Description
natEvent 1 230 Client block limit reached (15) or ports exhausted (16).
sourceIPv4Address 16 27 IPv6 address for remote endpoint of the DS-Lite tunnel.
ingressVRFID 4 234 The client routing domain ID.
natPoolName Variable 284 This IE is omitted for NetFlow v9 compatible configurations.
observationTimeMilliseconds 8 323  
sourceIPv4Address 4 8  

BIG-IP version 12.0.0 log reference

This reference content describes the logging format specific to BIG-IP software version 12.0.0.

This release provides the following logging changes:

  • Port-block released (added start and duration)
  • Start time added to LSN_ADD messages.
Table 45. BIG-IP version 12.0.0 log reference
Log Message Type Format
NAT44 session create HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>" "<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"

NAT44 session delete HSL

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",duration="<duration>"

NAT44 session create (with log.lsn.session.destination enabled) HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>"

"<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"

NAT44 session delete (with log.lsn.session.destination enabled) HSL

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT44 inbound session create HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>",start="<start>"

NAT44 inbound session delete HSL

"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"

NAT64 session create HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"

NAT64 session delete HSL

"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT64 session create (with log.lsn.session.destination enabled)

HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"

NAT64 session delete (with log.lsn.session.destination enabled)

HSL

"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT64 inbound session create HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",start="<start>"

NAT64 inbound session delete HSL

"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"

DSLITE session create HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"

DSLITE session delete HSL

"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"

DSLITE session create (with log.lsn.session.destination enabled)

HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"

DSLITE session delete (with log.lsn.session.destination enabled)

HSL

"LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"

DSLITE inbound session create HSL

"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"

DSLITE inbound session delete HSL

"LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

Translation failed HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"

DNAT config HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"

DNAT session delete (on connection end, and inbound connection end)

HSL

"LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"

NAT44 client quota exceeded HSL

"LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT64 client quota exceeded HSL

"LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

DSLITE client quota exceeded HSL

"LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT44 Port-block allocated HSL

"LSN_PB_ALLOCATED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Splunk

lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

NAT44 Port-block released HSL

"LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>"

Splunk

lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>"

NAT44 Client block limit reached HSL

"LSN_BLOCK_QUOTA_EXCEEDED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT44 Ports Exhausted HSL

"LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

NAT64 Port-block allocated HSL

"LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

Splunk

lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"

NAT64 Port-block released HSL

"LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>"

Splunk lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>"
NAT64 Client block limit reached HSL "LSN_BLOCK_QUOTA_EXCEEDED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
Splunk ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 Ports Exhausted HSL "LSN_PORTS_EXHAUSTED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
Splunk ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE Port-block allocated HSL "LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
Splunk lsn_event="LSN_PB_ALLOCATED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
DSLITE Port-block released HSL "LSN_PB_RELEASED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>"
Splunk lsn_event="LSN_PB_RELEASED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>"
DSLITE Client block limit reached HSL "LSN_BLOCK_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
Splunk ip_protocol="<protocol>",lsn_event="LSN_BLOCK_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE Ports Exhausted HSL "LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
Splunk ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
BIG-IP version 12.0.0 log formats

This reference content describes the log format changes specific to BIG-IP® software version 12.0.0.

This release includes log messages for the following:

  • Port-block released (added start and duration)
  • Start time added to LSN_ADD messages and LSN_INBOUND_CREATE messages
Table 46. Log format changes
Translation Mode Type Format
Port Block Allocation (PBA) log formats HSL

NAT44:"LSN_PB_RELEASED""<Client IPV4 address%rtdomid>""<Translated IPV4 address%rtdomid>:<Port range start>:<Port range end>""<start>""<duration>"

NAT64: "LSN_PB_RELEASED""<Client IPV6 address%rtdomid>""<Translated IPV4 address%rtdomid>:<Port range start>-<Port range end>""<start>""<duration>"

DSLITE: "LSN_PB_RELEASED""<DSLITE IPV6 address%rtdomid>""<Translated IPV4 address%rtdomid>:<Port range start>-<Port range end>""<start>""<duration>"

Splunk

NAT44: lsn_event="LSN_PB_RELEASED", lsn_client="<Client IPV4 address%rtdomid>", lsn_pb="<Translated IPV4 address%rtdomid>:<Port range start>-<Port range end>",start="<start>",duration="<duration>"

NAT64: lsn_event="LSN_PB_RELEASED", lsn_client="<Client IPV6 address%rtdomid>", lsn_pb="<Translated IPV4 address%rtdomid>:<Port range start>-<Port range end>",start="<start>",duration="<duration>"

DSLITE: lsn_event="LSN_PB_RELEASED", lsn_dslite_client="<DSLITE IPV6 address%rtdomid>", lsn_pb="<Translated IPV4 address%rtdomid>:<Port range start>-<Port range end>",start="<start>",duration="<duration>"

NAT 44 session create HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>""<start>"

With destination logging (log.lsn.session.destination) enabled:

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>""<start>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"

With destination logging (log.lsn.session.destination) enabled:

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"

NAT 64 session create HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>"

With destination logging (log.lsn.session.destination) enabled:

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"

With destination logging (log.lsn.session.destination) enabled:

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"

DSLITE session create HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>"

With destination logging (log.lsn.session.destination) enabled:

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"

With destination logging (log.lsn.session.destination) enabled:

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"

NAT44 Inbound session create HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>",start="<start>"

NAT64 Inbound session create HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",start="<start>"

DSLITE Inbound session create HSL

"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"

BIG-IP version 12.1.0 log formats

This reference content describes the log format changes specific to BIG-IP® software version 12.1.0.

This release includes log messages for translation failures, specifically, when a suggested resource is unavailable for iRules, or a preserve strict source port setting applies.

Table 47. Log format changes
Message Type Format
Translation failed - iRules suggested port busy HSL "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","Translation failed - iRule port busy","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
Translation failed - iRules suggested address busy HSL "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","Translation failed - iRule address busy","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
Translation failed - Preserve strict source port busy HSL "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","Translation failed - Preserve strict source port busy","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"

BIG-IP version 12.1.1 log reference

This reference content describes the logging format specific to BIG-IP software version 12.1.1.

This release provides the following logging changes:

  • Log specific translation failed messages when a suggested resource is unavailable (for iRules and source port preserve strict).
Table 48. BIG-IP version 12.1.1 log reference
Log Message Type Format
NAT44 session create HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"

NAT44 session delete HSL

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",duration="<duration>"

NAT44 session create (with log.lsn.session.destination enabled) HSL

"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"

NAT44 session delete (with log.lsn.session.destination enabled) HSL

"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT44 inbound session create HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>",start="<start>"

NAT44 inbound session delete HSL

"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"

NAT64 session create HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"

NAT64 session delete HSL

"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT64 session create (with log.lsn.session.destination enabled)

HSL

"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"

NAT64 session delete (with log.lsn.session.destination enabled)

HSL

"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

NAT64 inbound session create HSL

"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",start="<start>"

NAT64 inbound session delete HSL

"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"

DSLITE session create HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"

DSLITE session delete HSL

"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"

DSLITE session create (with log.lsn.session.destination enabled)

HSL

"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"

DSLITE session delete (with log.lsn.session.destination enabled)

HSL

"LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"

DSLITE inbound session create HSL

"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"

DSLITE inbound session delete HSL

"LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"

Splunk

ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

Translation failed HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","<lsn_result>","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="<lsn_result>",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"

DNAT config HSL

"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"

Splunk

hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"

DNAT session delete (on connection end, and inbound connection end)

HSL

"LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"

NAT44 client quota exceeded HSL

"LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"

Splunk

ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"