How can ISPs Log Subscriber Control Plane Information Using NetScaler?

This article describes how ISPs can log subscriber control plane information using NetScaler.

Internet Service Providers (ISPs) need to control the subscriber traffic and apply different kind of policies for different subscribers. With surge in mobile data usage in recent years, a huge amount of control plane traffic flows through the ISP network which needs to be logged. Why do ISPs keep track of the data flowing through their network??? This logging of data primarily helps ISPs in traffic analysis and mass surveillance. This adds value to service providers by helping them to debug failures by identifying events that lead to failure and most importantly helps identifying subscribers who used their services.

Internet Service Providers needs millions of records to be logged as the transaction scale is huge, which calls for the need to send the generated logs to a server where it can be stored and analyzed. ?? ??

How NetScaler helps in logging Subscriber information?

NetScaler can log Subscriber session events to enable Telco administrators to track subscriber related events. NetScaler can also log Subscriber session failure that helps Telco administrators to debug issues in subscriber sessions. The log message captures various control plane messages for each subscriber.

There are two broad categories of Subscriber session log messages:

1. Subscriber session event message: This log message is created for every subscriber session event like Diameter Gx events (Diameter Gx session Install, Diameter Gx session Update , Diameter Gx session Delete) and RADIUS session events (RADIUS session install, RADIUS session delete).

Below mentioned logs are examples for Subscriber session event logs.
09/30/2015:16:38:56 GMT?? Informational 0-PPE-0 : default SUBSCRIBER SESSION_EVENT 159 0 :?? Session Update, GX MsgType: CCR-U, IP: 100.10.1.1

The above log message is extracted from Diameter Gx CCRU message as we can see the GX MsgType as CCR-U. Timestamp, Subscriber IP are other important attributes which can be of use for administrators to track events. MSISDN will also be logged if it is available to NetScaler. ?? Note: This message is seen if the interface type is Gx only. For information on interface type refer to : http://docs.citrix.com/en-us/netscaler/11/solutions/netscaler-support-for-telecom-service-providers/lsn-telco-subscriber-management.html

09/30/2015:17:27:56 GMT?? Informational 0-PPE-0 : default SUBSCRIBER SESSION_EVENT 185 0 :?? Session Delete, GX MsgType: CCR-T, RADIUS MsgType: Stop, IP: 100.10.1.1, ID: E164 – 30000000001

The above log message occurs when RADIUS accounting stop message is received from RADIUS server and Diameter Gx CCR-T message was sent to NetScaler. MSISDN is logged in this case under E164 as it is available at NetScaler. RADIUS MsgType is seen as Stop as RADIUS Accounting stop is received at NetScaler.

Note: This message is seen if the interface type is RadiusAndGx.

09/30/2015:17:25:05 GMT?? Informational 0-PPE-0 : default SUBSCRIBER SESSION_EVENT 182 0 :?? Session Install, RADIUS MsgType: Start, IP: 100.10.1.1, ID: E164 – 30000000001

The above log message is extracted from RADIUS accounting message Start message as we can see the RADIUS MsgType as Start. MSISDN is also logged in this case under E164 as it is available at NetScaler.

Note: This message is seen if the interface type is RadiusOnly.

2. Subscriber session failure message: This message is created for every session failure for every subscriber like PCRF unable to find the requested subscriber information in database – PCRF failure response, PCRF is down which leads to absence of connectivity with PCRF etc.

09/30/2015:16:44:15 GMT?? Error 0-PPE-0 : default SUBSCRIBER SESSION_FAILURE 169 0 :?? Failure Reason: PCRF failure response, GX MsgType: CCR-I, IP: 100.10.1.1

The above mentioned log message is seen if the interface type is GxOnly. This failure log message shows that subscriber with IP address 100.10.1.1 is not configured in PCRF and hence it is not able to find the requested subscriber information leading to a failure response.

09/30/2015 13:03:01?? 09/30/2015:16:49:08 GMT?? 0-PPE-0 : default SUBSCRIBER SESSION_FAILURE 176 0 :?? Failure Reason: Unable to connect to PCRF, GX MsgType: CCR-I, RADIUS MsgType: Start, IP: 100.10.1.1, ID: E164 - 30000000001

The above mentioned log message is seen if the interface type is RadiusAndGx. This failure log message shows that PCRF, which NetScaler is trying to connect, is down and hence failure reason is logged as ‘Unable to connect to PCRF’.

Subscriber session logging using Configuration Utility

Subscriber logging in NetScaler can be enabled for Syslog and Nslog. To enable Susbcriber logging in Syslog using configuration utility, the below mentioned steps have to be followed.

Step 1: Navigate to System > Auditing > Syslog.

Step 2: ?? Enter the name of the audit policy in text box under Name and click on the “+” under Server to create a new syslog action.

Step 3: Enter the details for Syslog action like syslog action name, syslog server IP address, log level, transport type (UDP/TCP) and check the box next to Subscriber Logging to enable subscriber session logging in Syslog.

Note: NetScaler has support for syslog over TCP to enable reliable transfer of syslog messages to syslog server.

Step 4: Click Create.

Step 5: To bind the syslog policy to system global for the policy to take effect, select the policy and bind the policy to system global. Click on Action drop down list as shown below and select “Global Bindings”.

Select the policy that is intended to be bound to system global and click Bind.??

Under Policies, the selected policy will show that it is globally bound with entered priority number on refreshing the status.

Similar procedure has to be followed for enabling subscriber session logging in nslog.

Subscriber session logging using Command Line Interface

Subscriber session logging can be enabled using command line prompt for syslog as follows,
add syslogAction sysact1 <Syslog server IP> -loglevel all -subscriberlog enabled
add audit syslogPolicy syspol1 ns_true sysact1
set audit syslogParams -subscriberLog ENABLED
bind system global syspol1 -priority 10 ??
For enabling Subscriber session log under NSlog,
set nslogparams -subscriberLog ENABLED
add nslogAction logact1 <Nslog server IP> -loglevel all -subscriberlog enabled
add audit nslogpolicy nslogpol1 ns_true logact1

Thus the above mentioned procedure can be used for tracking subscriber session events and session failures by administrators using NetScaler.