Supported Platforms
Understanding Gx-Plus Interactions Between the Router and the PCRF
This topic describes the sequences of Diameter messages exchanged by means of Gx-Plus between the Policy Control and Rules Charging Function (PCRF) and the router acting as a Policy and Charging Enforcement Function (PCEF) as they interact to perform the following tasks for subscriber access:
- Subscriber login
- Fault tolerance and event notification
- Subscriber audit
- Subscriber logout
Subscriber Login
Gx-Plus provisioning is enabled for subscribers when you include the provisioning-order gx-plus statement at the [edit access profile profile-name] hierarchy level. When an application requests AAA to activate the subscriber's session, the router sends a CCR-I message to the PCRF to request provisioning for the subscriber session. The CCR-I message must include the Juniper-Virtual-Router, Framed-IP-Address, and NAS-Port-ID AVPs. The request is not generated when no IPv4 address has been assigned to the subscriber, when IPv6 is enabled and an IPv6 address has been assigned, or when the NAS-Port-ID is unknown.
The PCRF returns a CCA-I message that includes the Result-Code AVP (AVP code 268). The router considers a CCA-I that does not include the Result-Code AVP as a failed response. The CCA-I can return the Charging-Rule-Install AVP (AVP code 1001), which identifies services to be activated.
If the Result-Code value is DIAMETER_SUCCESS (2001), the router communicates to AAA that the requested service is activated. If the Result-Code value is DIAMETER_AUTHORIZATION_REJECTED, the router communicates to AAA that the service activation is not permitted. If the Result-Code AVP has any other value, or is missing, the request is retried. A total of three CCR-I messages can be sent.
If the PCRF does not indicate success or failure, then by default the router continues to send requests, but the retry requests are CCR-N messages (no-response notifications) that include the Juniper-Provisioning-Source AVP (AVP code 2101). This AVP indicates that the router has local decision-making authority to provision services in the absence of a PCRF response to the CCR-I. This AVP is not present in the CCR-I message.
A subscriber login initiates the following sequence of events:
- A client application—such as DHCP, PPP, or static subscriber sessions—requests AAA to authenticate the subscriber.
- Authentication begins if the subscriber access profile specifies RADIUS authentication. Login continues when the authentication is successful. Login fails when the authentication-order statement in the profile does not specify RADIUS authentication or no authentication. Login fails unless the authentication-order statement in the profile specifies RADIUS authentication or no authentication. Login also fails when authentication fails.
- Default services are activated for the subscriber. Any services that the authentication server includes in the authentication grant are activated. Additionally, a default service may have been configured for the client application.
- If the subscriber access profile specifies Gx-Plus provisioning,
the router initiates the Gx-Plus message exchange by sending a CCR-I
message to the PCRF. The router waits for the PCRF to respond with
a CCA-I message within a non-configurable timeout period.
When the PCRF responds within the timeout period and includes the Charging-Rule-Install AVP in the CCA-I message, subscriber login is delayed while the router deactivates any default services and attempts to activate the specified services.
- If all the specified services are activated, then the login completes.
- If any of the services cannot be activated, the router sends the PCRF a CCR-U message with the status of the services (a rule report). The PCRF responds to this message with a CCA-U that can contain a new set of services for activation.
- The router ignores any default services, even If the CCA-I message does not include any services. In this circumstance, no services are activated.
If the PCRF does not return a CCA-I within the timeout period, subscriber login completes.
- The router searches first for services returned from the authentication server and activates any it finds. If no such services are found, then the router activates any locally configured default services. Subscriber login completes when default service activation is successful, but fails when any default service fails to activate. Because default services are not required to be present, login also completes when no default services are found.
- If login completes (with or without a default service), the router periodically resends the CCR-I message to the PCRF. If the PCRF subsequently returns a CCA-I, the router deactivates the default service, if any, and then activates any services included in the CCA-I. If the message does not include any services, then no services are activated, not even a default service.
- If any of the services contained in the CCA-I cannot be activated, the router sends the PCRF a CCR-U message with the status of the services (a rule report). The PCRF responds to this message with a CCA-U that can contain a new set of services for activation.
- The router begins to monitor session accounting statistics
if the CCA-I message includes any threshold triggers for usage monitoring.
The Usage-Monitoring-Information AVP (AVP code 1067) contains the
threshold triggers in the Granted-Service-Unit AVP (AVP code 431).
The triggers are the values granted by the PCRF for the following
statistics: duration of the session, input octets count, output octets
count, and total octets count.
- If the service statistics meet or exceed any of these trigger thresholds during the session, the router sends a CCR-U message to the PCRF with accounting information in the Usage-Monitoring-Information AVP (AVP code 1067). The AVP now contains the Used-Service-Unit AVP (AVP code 446) to report the current values for all four statistics.
- In response, the PCRF may return a CCA-U message with
the Usage-Monitoring-Information AVP, which can include any of the
following: the Granted-Service-Unit AVP with new threshold triggers
(absolute values rather than increments to the previous thresholds),
the Charging-Rule-Install AVP (AVP code 1001) for service activations,
or the Charging-Rule-Remove AVP (AVP code 1002) for service deactivations.
Note: The router does not aggregate statistics across services.
- When the subscriber logs out, the router sends a CCR-T message (termination notice) to the PCRF, which responds with a CCA-T message.
Fault Tolerance and Event Notification
Although the probability is low, the PCRF and the router can have different values for the number of subscribers. This error can arise from the following scenarios:
- CCA-I loss: if no CCA-I is delivered to the router, then the PCRF considers a subscriber as provisioned whereas the router considers it not provisioned.
- CCR-T loss: if no CCR-T is delivered to the PCRF, then the PCRF considers a subscriber to be provisioned whereas the router considers the subscriber not provisioned (logged out).
Loss of messages can be greater during cold boots and high availability events. Unacknowledged CCR-I and CCR-T requests are retransmitted forever until a satisfactory response is received to reduce the incidence of failure, and significant events are reported to Gx-Plus. By default, the number of outstanding requests is limited to 40 to avoid overloading the PCRF. This limit reduces the possibility of losing requests. You can modify this number by including the max-outstanding-requests statement at the [edit access-gx-plus global] hierarchy level.
Gx-Plus does not rely on the connection state between devices to detect router or PCRF outages, because some events do not affect the connection state and others are not detected when there is a Diameter relay or proxy between the devices. Event notifications (JSER messages) are sent when certain events take place on the router. The Juniper-Event-Type AVP (AVP code 2103) in the message describes the event.
Event notifications are retried until Gx-Plus returns a JSEA message with a Result-Code value of DIAMETER_SUCCESS (2001) to acknowledge receipt of the event notification. When retrying notifications, one notification is sent for each outstanding event. No other request are sent as long as there is any outstanding event other than an application watch dog (AWD).
Table 1 lists router events and the subsequent router and PCRF actions.
Table 1: Router Events, Router Actions, and PCRF Actions
Router Event | Router Action | PCRF Action |
---|---|---|
The router receives no response from the PCRF or an error response. | Send event notification. | Respond to event notification. |
The configuration changes. Significant changes such as the origin host or realm and the Gx-Plus partition destination host or realm also increment the value of the Origin-State-Id AVP. | Send event notification. | Respond to event notification and perform discovery. |
The router receives an explicit discovery request from the PCRF. | Send event notification. | Respond to event notification. |
The router undergoes a cold boot and all sessions are lost. This can result from a catastrophic failure or power cycle. | Send event notification. | Respond to event notification and clear the database. |
The router undergoes a warm boot. | Send event notification. | Respond to event notification and clear the database. |
Recovery resources that are needed to continuously retry unacknowledged requests (CCR-N and CCR-T messages) are exhausted. The value of the Origin-State-Id AVP is incremented. This event is unlikely to occur. | Send event notification. | Respond to event notification and perform discovery. |
An important aspect of Gx-Plus fault tolerance is that subscriber login and termination requests are retried (replayed) forever until a satisfactory response is received from the PCRF. In rare circumstances, this can result in a stack of pending requests being replayed over and over.
You can issue the clear network-access gx-plus replay command to clear all pending requests. This command causes Gx-Plus to send a JSER message to PCRF that includes the Juniper-Event-Type AVP (AVP code 2103) with a value of 3 indicating a discovery request. The PCRF then returns a JDER message to initiate discovery of all subscribers. When this discovery completes, all pending subscriber requests are cleared.
PCRF-Generated Discovery
The PCRF runs a discovery process in response to data loss, exhaustion of router resources, operator request, or router request. The JSDR message specifies the level of verbosity desired in the reply from Gx-Plus. The message also specifies whether the request is for data about a particular session or information similar to an SNMP Get-Bulk for all sessions. Gx-Plus returns a JSDA message that indicates complete success, limited success, or an error. In the event of success, the requested data is also returned.
Subscriber Accounting
When the PCRF returns a CCA-I message to the router, the message may contain thresholds for any of several usage statistics for a subscriber service: Duration, input data, output data, or total data for the service session. Upon receipt of a threshold, the router begins monitoring the subscriber’s service session activity for that statistic. When the usage statistic reaches the threshold, it triggers the router to send a Gx-Plus usage notification message (CCR-U) to the PCRF. In response, the PCRF may send a CCA-U message to specify a new threshold, activate new services, or deactivate current services.
The PCRF can also send a CCR-U message that explicitly requests usage monitoring for statistics at different levels. The router can monitor usage at the subscriber level or at the service level. The Granted-Service-Unit AVP in the message specifies one or more of the following the statistics:
- CC-Input-Octets
- CC-Output-Octets
- CC-Total-Octets
- CC-Time
If any other statistics are specified, the router sends the PCRF a CCA message indicating that incorrect statistics were requested. When the specified threshold for a monitored statistic is reached, the router sends a CCR-U that contains the usage report for the statistics. In response, the PCRF sends another CCA-R with new thresholds or a request to activate or deactivate services.
Subscriber Logout
When the client application sends a subscriber logout notice to AAA, Gx-Plus sends a CCR-T message to notify the PCRF that the provisioned subscriber session is being terminated. The PCRF returns a CCA-T message that includes the Result-Code AVP. If the Result-Code value is DIAMETER_SUCCESS, Gx-Plus notifies AAA, and AAA notifies the application that the logout is complete. If Gx-Plus does not receive a CCA-T message, or if the Result-Code AVP has any other value or is missing, then the termination request is retried until the CCA-T message is returned with DIAMETER_SUCCESS.