topic Hi David,Let me share with in Network Security

airplay not working with an ASA in the middle

ajc — Tue, 12 Mar 2019 03:58:46 GMT

Hi All

This is my case: In the lab I could configure mDNS on my 5508 with the global multicast and igmp snooping disabled. Only I needed was Global mDNS multicast enabled (based on Cisco Guide) and it worked fine under the following scenarios:

All the services connected wireless

IPAD on subnet A and Apple TV on subnet B, no Firewall in the middle. Peer to Peer Blocking in the WLC was any DROP or DISABLED and it worked fine.

BUT, when I moved into production environment, the only way that it works is by having both Apple Devices in the same subnet with the Peer to Peer bloking DISABLED. I have a firewall ASA in the middle so I do not know what should I check in the firewall to allow Airplay to work.

However, there is something really weird. in the IPAD, I can see the AIRPLAY icon at the bottom of the screen, when I click on it, I can see MIRRORING button and I moved it to the right to activated it BUT nothing happens on the AppleTV connected to an screen. I mean, looks like the request for MIRRORING from the IPAD to the Apple TV device is not reaching the last one. A few seconds after activating MIRRORING in the IPAD looks like the request is dropped since that the mirroring is not active.

Is there any particular multicast configuration required in the ASA including ports (like 5353 udp)?

I have an open case with TAC but any ideas are welcomed.

By the way, I am running v 7.6 in the WLC in order to implement mDNS (traffic between ssid's subnet managed by the WLC - Bonjour Gateway is not neccesary)

thanks

Abraham

Did you ever get to the

David Taylor — Tue, 15 Apr 2014 03:37:10 GMT

Did you ever get to the bottom of this problem? I'm having the same issue.

Hi David,Let me share with

ajc — Tue, 15 Apr 2014 16:21:37 GMT

Hi David,

Let me share with you my findings. Apple TV requires more than 5353 port opened. Please see the following link and include in your ASA those additional ports/range. I mean, 7000, 7100, 5000 (udp/tcp), etc etc.

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/apple-macbook-airplay-appletv-firewall-port-findings/td-p/55048

After opening those ports, the service is working BUT with significant LATENCY/SLOWNESS which we are trying to solve.

We took some packets captures on the ASA ingress/egress interfaces for both contexts (see pictures attached) and I could see many retransmissions and duplicated ACK so I tried something else that worked (see Apple TV Works attached file) BUT this is not the final solution we need so we are still working on this issue in order to check if there is something wrong with our routing/switching process in the 6500 LAN SW.

I created static routes in the ASA contexts to communicate the IPAD to the APPLE TV (ports already opened in the ASA as indicated before) without traversing the Wireless 6500 SW (test performed on VLAN A and VLAN B) and it worked fine. However as I said, this is not the solution we want because the Wireless 6500 SW must manage inter-ASA-contexts traffic.

In addition to that I attached another picture/diagram that shows when Apple TV service fails-latency (traffic crossing the Wireless 6500 SW for communication between ASA contexts).

Important to say that I am NOT using MULTICAST or BROADCAST ENABLED in the WLC. I am based on mDNS as indicated in the Cisco Guide/Instructions for version 7.5 and above.

Hope this helps.

Hi David,Apparently we solved

ajc — Wed, 16 Apr 2014 00:08:24 GMT

Hi David,

Apparently we solved the issue. IP REDIRECT is enabled by default in the VLAN that is shared by the ASA and the LAN SW as you can see in the pictures I attached to this post.

Because of this command, the LAN SW would be dropping the packets causing retransmission and dup ack on the IPAD/Apple TV which causes latency/slowness. The LAN SW based on this command sends continuous ICMP Redirect to the ASA telling to this device to no longer forward the traffic to the 6500, but in stead to its L2 adjacent ASA context.

This link provides information about this:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/sec_chap4.html