04-05-2011 12:20 PM - edited 03-11-2019 01:17 PM
folks
does this work?
i'm trying to pass traffic from the outside through to the inside interface
i can see the multicast hitting the outside interface on a packet capture and the rule allowing multicast is incrementing but its not passing through the appliance
when i run a packet tracer i get the error below
(security-failed) Early security checks failed
has anyone got this working or know of a good troubleshooting guide
i've looked at the cisco 7.x guide on multicast from the outside but i can't see much difference between that config and mine
thanks to anyone taking the time to reply
Solved! Go to Solution.
04-08-2011 05:11 AM
Hi,
No problem. You're right, ASA does not support PIM-Dense mode, it supports PIM-Sparse mode and bi-directional PIM. ASA 7.x version supports stub mode as well.
Multicast traffic using PIM-dense mode cannot traverse the ASA, which is why you see no traffic on the inside.
Hope this helps!
Regards,
Anu.
P.S.: Please mark the question answered, if it has been resolved. Do rate helpful posts. Thanks.
04-08-2011 04:22 AM
Hi,
So your multicast receivers are on the inside of the ASA and the sender on the outside, right? When the multicast traffic passes through the ASA, what are the syslogs generated? Are you using PIM-SM or bi-directional PIM? Where is the RP located?
The meaning of that message is given in the following link:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s2.html
The destination IP address of a multicast packet will be a multicast group IP and the destination MAC address is the MAC address of that group. What is the source IP and destination IP address of the multicast stream? What about the source and destination MAC?
Regards,
Anu.
04-08-2011 04:44 AM
Anu
i've just been told that the multicast provider is passing the traffic in dense mode and as far as i understand the appliance only supports sparse mode so i'm not sure what impact this has other than i don't need an RP
as for syslogs, the traffic is hiiting the outside interface and is being dropped with the security failure
as you state
the sender is on the outside
i can see the multicast hitting my appliance's external interface but nothing traverse the firewall
the source IP is the streaming server
the destination IP is the multicast IP 239.192.x.x
the source mac is my PIM neighbour
the destination mac is IPv4mcast_40:3d:2d (01:00:5e:40:3d:2d)
thanks for your input
04-08-2011 05:11 AM
Hi,
No problem. You're right, ASA does not support PIM-Dense mode, it supports PIM-Sparse mode and bi-directional PIM. ASA 7.x version supports stub mode as well.
Multicast traffic using PIM-dense mode cannot traverse the ASA, which is why you see no traffic on the inside.
Hope this helps!
Regards,
Anu.
P.S.: Please mark the question answered, if it has been resolved. Do rate helpful posts. Thanks.
04-08-2011 05:19 AM
Anu
thanks for your prompt reply
i suspect i now have two options
- GRE through the firewall
i don't like this as it opens up a hole right through my firewall to my corporate network
- Stub multicasting routing
use the asa as an igmp proxy to pass on join requests to the outside PIM multicast router
thanks again
04-08-2011 06:00 AM
Hi,
Glad i could help!
You've said it yourself- you can decide on whichever option suits you best. With GRE, a number of tunnels are needed to carry multicast traffic and Stub mode is supported only on PIX/ASA 7.x versions.
Thanks,
Anu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide