Re: ASA Punt-rate-limit multicast traffic

xayxa30 · ‎02-01-2021

Our ASA [ver. 9.10(1)] does multicast routing and the source is directly connected on inside. Every once in awhile a multicast stream (group) does not get forwarded to the RP (outside) and is dropped (show mfib ), and stays dropped. Performing a clear pim topology for the group address helps it along. (Haven't tested with clear arp for the address). The drop reason (from capture) is that the Punt rate limit exceeded. I am assuming that the multicast streams hitting the inside interface is causing the excessive arp entries to exceed the 500 arp rate limit (per interface). I am guessing that some streams are forwarded normally ( and do not "get stuck") because the SPT tree is built in a timely manner for connection to flow.

Right now the rate limit is defaulted to 32768. Would adjusting this to below 500 for the inside interface fix the problem ? or is there something else for a better fix. I'm surprise that the device can't handle the stream amounts until a proper join to the RP has been achieved.

I also read that the punt rate limit was a bug as well, but our version is no in that category.

xayxa30 · ‎02-03-2021

I was unable to reproduce the asp drop-reason I cited. The new drop-reason is now Drop-reason: (no-mcast-intrf) FP no mcast output intrf, which is probably harder to understand. I went ahead and added igmp static-group [group address] on the interface facing the RP and that seems to have helped. The RP does have static joins configured for the groups, but it looks like the RP needs a little help from the ASA. "Configuring the firewall to join a multicast group causes upstream routers to maintain multicast routing table information for that group and keep the paths for that group active"

https://community.cisco.com/t5/security-documents/asa-pix-fwsm-multicast-tips-and-common-problems/ta-p/3128260