Solved: Re: FirePower 2140 Multicast Dropping

kajumblies15 · ‎04-03-2023

Hello,

I am having issues troubleshooting why the Cisco FirePower 2140 is dropping almost all Multicast frames. The way we have this set up is we have a device that is generating the Multicast Traffic and we have a Firepower 2140 that is configured with 4 Zones and ACL's that allow all traffic between zones. I also have the very basic multicast setup where I just enabled multicast IGMP and PIM on all interfaces and have create a an ACL that allows traffic sourcing from any zone/interface to forward to a multicast group IP 239.0.1.2. In our case the Traffic generator send the traffic to the FirePower and the firepower forwards the traffic through its interfaces and back to the traffic generator. But for some reason we are dropping almost 99% of the multicast traffic. IPS on the firepower is set to alert only and group joining appears to work properly. Is there anything i am missing that would cause the FirePower to drop almost all frames regardless of size?

Thank You in advanced for you assistance!

balaji.bandi · ‎04-03-2023

check the config if you using FMC to manage FTD :

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/multicast_routing_for_firepower_threat_defense.html

check some troubleshooting :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217891-troubleshoot-firepower-threat-defense-ig.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎04-03-2023

check the config if you using FMC to manage FTD :

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/multicast_routing_for_firepower_threat_defense.html

check some troubleshooting :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217891-troubleshoot-firepower-threat-defense-ig.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kajumblies15 · ‎04-03-2023

We have the items described in the document above configured. Multicast Routing is enabled, the Join Group is created for the 4 interfaces that we use. I have an ACL that is permitting those interfaces/zones to talk to the 239.0.1.2 IP. Some of the frames make it through but majority are dropped or lost and i just need help to figure out why that would occur.

Thank You!

Marius Gunnerud · ‎04-03-2023

Try placing the access rules in pre-filter policy instead of the ACP policy. This might be dropped by security intelligence, or perhaps a bug.

--
Please remember to select a correct answer and rate helpful posts

kajumblies15 · ‎04-04-2023

I tried adding a pre-filter rule for the multicast traffic and applying that pre-filter rule to the Access Control Policy. This for what ever reason causes the Ports on the FirePower to shut down and while it allowed a bit more traffic its still loosing 99 percent of multicast traffic.

Any other ideas on what could be causing this?

Thank You!

kajumblies15 · ‎04-07-2023

I am thinking that perhaps the processing of the Multicast traffic is being done differently than standard TCP traffic. Perhaps on one of the dataplanes and that plane is unable to process that much traffic. Does anyone know where Multicast traffic is processed on the Firepower 2140. I am having a hard time finding information on that?

Thank You!