Solved: Re: ASA and multicast

mulhollandm · ‎04-05-2011

folks

does this work?

i'm trying to pass traffic from the outside through to the inside interface

i can see the multicast hitting the outside interface on a packet capture and the rule allowing multicast is incrementing but its not passing through the appliance

when i run a packet tracer i get the error below

(security-failed) Early security checks failed

has anyone got this working or know of a good troubleshooting guide

i've looked at the cisco 7.x guide on multicast from the outside but i can't see much difference between that config and mine

thanks to anyone taking the time to reply

Anu M Chacko · ‎04-08-2011

Hi,

No problem. You're right, ASA does not support PIM-Dense mode, it supports PIM-Sparse mode and bi-directional PIM. ASA 7.x version supports stub mode as well.

Multicast traffic using PIM-dense mode cannot traverse the ASA, which is why you see no traffic on the inside.

Hope this helps!

Regards,

Anu.

P.S.: Please mark the question answered, if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

Anu M Chacko · ‎04-08-2011

Hi,

So your multicast receivers are on the inside of the ASA and the sender on the outside, right? When the multicast traffic passes through the ASA, what are the syslogs generated? Are you using PIM-SM or bi-directional PIM? Where is the RP located?

The meaning of that message is given in the following link:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s2.html

The destination IP address of a multicast packet will be a multicast group IP and the destination MAC address is the MAC address of that group. What is the source IP and destination IP address of the multicast stream? What about the source and destination MAC?

Regards,

Anu.

mulhollandm · ‎04-08-2011

Anu

i've just been told that the multicast provider is passing the traffic in dense mode and as far as i understand the appliance only supports sparse mode so i'm not sure what impact this has other than i don't need an RP

as for syslogs, the traffic is hiiting the outside interface and is being dropped with the security failure

as you state

the sender is on the outside

i can see the multicast hitting my appliance's external interface but nothing traverse the firewall

the source IP is the streaming server

the destination IP is the multicast IP 239.192.x.x

the source mac is my PIM neighbour

the destination mac is IPv4mcast_40:3d:2d (01:00:5e:40:3d:2d)

thanks for your input

Anu M Chacko · ‎04-08-2011

Hi,

No problem. You're right, ASA does not support PIM-Dense mode, it supports PIM-Sparse mode and bi-directional PIM. ASA 7.x version supports stub mode as well.

Multicast traffic using PIM-dense mode cannot traverse the ASA, which is why you see no traffic on the inside.

Hope this helps!

Regards,

Anu.

P.S.: Please mark the question answered, if it has been resolved. Do rate helpful posts. Thanks.

mulhollandm · ‎04-08-2011

Anu

thanks for your prompt reply

i suspect i now have two options

- GRE through the firewall

i don't like this as it opens up a hole right through my firewall to my corporate network

- Stub multicasting routing

use the asa as an igmp proxy to pass on join requests to the outside PIM multicast router

thanks again

Anu M Chacko · ‎04-08-2011

Hi,

Glad i could help!

You've said it yourself- you can decide on whichever option suits you best. With GRE, a number of tunnels are needed to carry multicast traffic and Stub mode is supported only on PIX/ASA 7.x versions.

Thanks,

Anu.