cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1390
Views
0
Helpful
15
Replies

does anyone have a working 9.x igmp stub multicast configuration?

James Leinweber
Enthusiast
Enthusiast

In ASA 8.2 in single-context routed mode I had multicast stub forwarding working with

    igmp forward interface outside

on relevant inside interfaces with public-scoped IP addresses (no NAT), plus access rules on the outside interface such as

   access-list outside-in extended permit udp any 239.0.0.0 255.0.0.0

After upgrading to 9.0(2), this isn't working anymore.  If I place a host on the transit network upstream of a firewall multicast works there, so I'm confidient that the upstream router (not managed by me) is doing PIM with the actual in-AS rendevous point correctly.  I don't particularly want any PIM, just IGMP forwarding on the firewall to the upstream router.  I've tried both with PIM and without; by default the ASA pim priority tends to cause ti to win the DR election with the upstream router, which is counter-productive, as it has to lose for any traffic to flow.

Packet captures on the outside interface with IGMP and without PIM such as:

   access-list mc extended permit igmp any4 any4

   access-list mc extended permit udp any4 239.0.0.0 255.0.0.0

   capture xx access-list mc interface outside

show that when an inside client tries to join a multicast AV stream the firewall sends igmp join message to the upstream router as expected, and UDP data starts flowing down as expected.  However, in spite of having permit rules on the outside interface to let the UDP streams in, I'm instead logging messages like:

    %ASA-7-710005: UDP request discarded from 128.104.128.182/3078 to outside:239.1.1.78/3078

and the inside clients which sent the igmp joins in the first place do not get any traffic.

Have I overlooked something?   Do I need an "igmp access-group ...." command on the interfaces to allow the joins?  Should there be an "access-group .... control-plane" rule to allow in the UDP traffic?   I've tried several variations, and so far nothing has worked for me.

Does anyone have a working multicast configuration for UDP data on ASA 9.0 or 9.1?   I'm trying to receive IP TV channels via a "vfurnace" client on windows 7.  As I said, this works upstream of the ASA firewalls, but not downstream.

The 9.1 documentation in the CLI firewall configuration guide, book 2 page 6-5 has the rather alarming statement that:

   "In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule ..."

which is a little worrying.  I realize that such traffic is inherently link-local in scope, but was hoping that enabling "multicast-routing" would result in some kind of forwarding behavior when it hit an interface which was a multicast group member.

-- Jim Leinweber, WI State Lab of Hygiene

15 Replies 15

Julio Carvajal
Advisor
Advisor

Hello James,

Well I have not played with that on that version but I would like to see some outputs from both the ASA and the Upstream router,

From the ASA

sh igmp groups detail

sh igmp interface nameif

cap asp type asp-drop all circular-buffer

Then send some multicast traffic

show cap asp | include 239.x.x.x (Multicast group IP address)

show run interface

show mfib

Then we will go further (it should be working by the way)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

The topology is

  (AS 59 with RP ) -- router @ 144.92.136.113 -- | ASA 5525-x firewall running 9.0(2) |

On the firewall we have

     144.92.136.116/29 = aa-out interface  --  wc-pubtest interface 144.92.248.25/29 -- client win7 laptop @ 144.92.248.26/29

The multicast group we're trying to join is 239.1.1.78.

show igmp groups detail before launching the client (excerpted to remove irrelevant interfaces)

...

Interface:    wc-pubtest

Group:        239.255.255.250

Uptime:        00:15:09

Router mode:    EXCLUDE (Expires: 00:02:54)

Host mode:    INCLUDE

Last reporter:    144.92.248.26

Source list is empty

...

show igmp interface (excerpts)

...

aa-out is up, line protocol is up

  Internet address is 144.92.136.116/29

  IGMP is disabled on interface

...

wc-pubtest is up, line protocol is up

  Internet address is 144.92.248.25/29

  IGMP is enabled on interface

  Current IGMP version is 2

  IGMP query interval is 125 seconds

  IGMP querier timeout is 255 seconds

  IGMP max query response time is 10 seconds

  Last member query response interval is 1 seconds

  Inbound IGMP access group is:

  IGMP limit is 500, currently active joins: 0

  Cumulative IGMP activity: 1 joins, 1 leaves

  IGMP forwarding on interface aa-out

  IGMP querying router is 144.92.248.25 (this system)

...

After connecting to http://datn.wisc.edu and launching the vfurnace client from http://vfurnace.discovery.wisc.edu, and requesting a stream for CNN (239.1.1.78 inside AS59):

sho igmp groups detail

...

Interface:    wc-pubtest

Group:        239.1.1.78

Uptime:        00:00:44

Router mode:    EXCLUDE (Expires: 00:04:12)

Host mode:    INCLUDE

Last reporter:    144.92.248.26

Source list is empty

Interface:    wc-pubtest

Group:        239.40.31.100

Uptime:        00:01:20

Router mode:    EXCLUDE (Expires: 00:04:18)

Host mode:    INCLUDE

Last reporter:    144.92.248.26

Source list is empty

Interface:    wc-pubtest

Group:        239.255.255.250

Uptime:        00:17:54

Router mode:    EXCLUDE (Expires: 00:02:13)

Host mode:    INCLUDE

Last reporter:    144.92.248.26

Source list is empty

sho igmp interface

...

f-slh-aa# sho igmp interface wc-pubtest

wc-pubtest is up, line protocol is up

  Internet address is 144.92.248.25/29

  IGMP is enabled on interface

  Current IGMP version is 2

  IGMP query interval is 125 seconds

  IGMP querier timeout is 255 seconds

  IGMP max query response time is 10 seconds

  Last member query response interval is 1 seconds

  Inbound IGMP access group is:

  IGMP limit is 500, currently active joins: 3

  Cumulative IGMP activity: 4 joins, 1 leaves

  IGMP forwarding on interface aa-out

  IGMP querying router is 144.92.248.25 (this system)

f-slh-aa# sho igmp interface aa-out   

aa-out is up, line protocol is up

  Internet address is 144.92.136.116/29

  IGMP is disabled on interface

Doing:

  cap asp typ asp-drop all circular-buffer

running the client, and then:

  sho cap asp | include 239.1.1.78

produced no output.

sho run interface (excerpted)

interface GigabitEthernet0/0

description uplink - ag+wc to DoIT vlan 427 via MUFN

nameif aa-out

security-level 0

ip address 144.92.136.116 255.255.255.248

ipv6 address 2607:f388:0:2006::2/64

ipv6 nd suppress-ra

no pim

interface GigabitEthernet0/3.434

description wc-pubtest, public test clients, multicast, v6

vlan 434

nameif wc-pubtest

security-level 2

ip address 144.92.248.25 255.255.255.248

ipv6 address 2607:f388:1084:2080::1/64

ipv6 address fe80::2080:1 link-local

no pim

igmp forward interface aa-out

sho mfib

f-slh-aa# sho mfib

Entry Flags: C - Directly Connected, S - Signal, IA - Inherit A flag,

             AR - Activity Required, K - Keepalive

Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kbits per second

Other counts: Total/RPF failed/Other drops

Interface Flags: A - Accept, F - Forward, NS - Negate Signalling

             IC - Internal Copy, NP - Not platform switched

             SP - Signal Present

Interface Counts: FS Pkt Count/PS Pkt Count

(*,224.0.1.1) Flags: S K

   Forwarding: 0/0/0/0, Other: 0/0/0

(132.246.1.4,224.0.1.1) Flags: K

   Forwarding: 0/0/0/0, Other: 13/0/13

   aa-out Flags: A

(132.246.2.33,224.0.1.1) Flags: K

   Forwarding: 0/0/0/0, Other: 30/0/30

   aa-out Flags: A NS

(132.246.127.1,224.0.1.1) Flags: K

   Forwarding: 0/0/0/0, Other: 29/0/29

   aa-out Flags: A

(134.207.12.226,224.0.1.1) Flags: K

   Forwarding: 0/0/0/0, Other: 10/0/10

   aa-out Flags: A

(134.207.18.226,224.0.1.1) Flags: K

   Forwarding: 0/0/0/0, Other: 10/0/10

   aa-out Flags: A

(134.207.250.3,224.0.1.1) Flags: K

   Forwarding: 0/0/0/0, Other: 10/0/10

   aa-out Flags: A

(134.207.254.226,224.0.1.1) Flags: K

   Forwarding: 0/0/0/0, Other: 10/0/10

   aa-out Flags: A

(136.165.237.66,224.0.1.1) Flags: K

   Forwarding: 0/0/0/0, Other: 7892/0/7892

   aa-out Flags: A

(138.18.23.35,224.0.1.1) Flags: K

   Forwarding: 0/0/0/0, Other: 10/0/10

   aa-out Flags: A

(*,224.0.1.24) Flags: S K

   Forwarding: 0/0/0/0, Other: 0/0/0

(*,224.0.1.55) Flags: S K

   Forwarding: 0/0/0/0, Other: 0/0/0

(*,228.5.6.7) Flags: S K

   Forwarding: 0/0/0/0, Other: 0/0/0

(*,229.111.112.12) Flags: S K

   Forwarding: 0/0/0/0, Other: 0/0/0

(*,232.0.0.0/8) Flags: K

   Forwarding: 0/0/0/0, Other: 0/0/0

(*,239.1.1.78) Flags: S K

   Forwarding: 0/0/0/0, Other: 0/0/0

(128.104.128.182,239.1.1.78) Flags: K

   Forwarding: 0/0/0/0, Other: 14324/0/14324

   aa-out Flags: A

(*,239.40.31.100) Flags: S K

   Forwarding: 0/0/0/0, Other: 0/0/0

(128.104.153.215,239.40.31.100) Flags: K

   Forwarding: 0/0/0/0, Other: 1683/0/1683

   aa-out Flags: A

(*,239.77.124.213) Flags: S K

   Forwarding: 0/0/0/0, Other: 0/0/0

(*,239.192.83.80) Flags: S K

   Forwarding: 0/0/0/0, Other: 0/0/0

(*,239.255.255.250) Flags: S K

   Forwarding: 0/0/0/0, Other: 325808/325808/0

(144.92.88.133,239.255.255.250) Flags: K

   Forwarding: 0/0/0/0, Other: 59024/0/59024

   aa-out Flags: A

(*,239.255.255.254) Flags: S K

   Forwarding: 0/0/0/0, Other: 0/0/0

Meanwhile, on the syslog server, I'm logging:

1) no relevant blocks for the client IP 144.92.248.26

2) lots of above cited UDP discards while the multicast client is running and the IGMP join is active, but no other messages involving 239.1.1.78

Thanks for looking into this with me,

-- Jim Leinweber, WI State Lab of Hygiene

Hello James,

Have u enabled multicast routing?

If yes can you disable pim on the interface as that will be enabled by default

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yes, I have enabled multicast routing:

   f-slh-aa# sho run | i multicast-r

   multicast-routing

I have PIM off on all interfaces, and igmp forwarding on on 3:

f-slh-aa# sho run | incl ^interface|pim|igmp

interface GigabitEthernet0/0

no pim

interface GigabitEthernet0/1

no pim

igmp forward interface aa-out

interface GigabitEthernet0/2

no pim

no igmp

interface GigabitEthernet0/3

interface GigabitEthernet0/3.428

no pim

igmp forward interface aa-out

interface GigabitEthernet0/3.430

no pim

no igmp

interface GigabitEthernet0/3.431

no pim

no igmp

interface GigabitEthernet0/3.432

no pim

no igmp

interface GigabitEthernet0/3.433

no pim

no igmp

interface GigabitEthernet0/3.434

no pim

igmp forward interface aa-out

interface GigabitEthernet0/3.435

no pim

no igmp

interface GigabitEthernet0/3.436

no pim

no igmp

interface GigabitEthernet0/3.543

no pim

no igmp

interface GigabitEthernet0/3.544

no pim

no igmp

interface GigabitEthernet0/3.545

no pim

no igmp

interface GigabitEthernet0/4

interface GigabitEthernet0/5

interface GigabitEthernet0/6

interface GigabitEthernet0/7

interface Management0/0

Interfaces 4-7 are currently shutdown; Management0/0 has no ip and no nameif and is destined to be used to manage the software IPS module later on.

The IGMP forwarding is working, I think; when I ran captures on the outside interface (Gi0/0 namif "aa-out") I could see the IGMP joins going up to the router, and the UDP multicast data stream coming back down.   What I can't yet figure out is how to get the UDP data to flow across the firewall to the client.

Let me know if I need to open a TAC on this.

-- Jim Leinweber, WI State Lab of Hygiene

Hello James,

All you need to do is to have the right ACL on the outside interface,

Interesting enough you capture nothing on the ASP capture,

Can you enable 3 captures

cap capout ( matching multicast traffic on the outside interface)

cap capin ( matching multicast traffic on the inside interface )

cap asp type asp-drop all circular buffer

Generate the traffic and show the captures,

Let's see what happens,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC