Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
0
Helpful
2
Replies

PIM on ASA5505?

oldmike924
Level 1
Level 1

‎12-28-2011 01:55 PM - edited ‎03-11-2019 03:07 PM

Hi,

ASA 5505 8.2(5), ASDM 6.4(5).  I have a segmented network, VLANs separated by SVIs on 6506.  Every SVI is configured to use pim sparse mode.  The RP is an SVI on the 6506.  I attached the inside int of the ASA to a new SVI I created.  The outside int of the ASA has a workstation w/ client software for viewing multicast video and a decoder to hand off analog video.  The workstation connects to the server fine, the client has software configured to drag and drop multicast nodes.  It actually tells a video encoder/decoder this is what I want to see, join me to the multicast group. 

This works fine on the internal networks, but not off the outside int of the ASA.  I can telnet through the ASA to the decoder and see that yes, it has the correct two multicast addresses for the video it ought to be displaying but the decoder will have no video streams provided to it.  Initially, the ASA has multicast routing enabled, PIM enabled for both inside and outside int, igmp and multicast forwarding enabled for both int.  The ASA knows the RP address.

This config produces no video stream to the decoder.  In order to see any video I have to manually add (join-group) multicast entries AND multicast forwarding has to be enabled for the inside interface. 

Here is some output from the ASA:

Result of the command: "sh pim tunnel"

Interface          RP Address        Source Address

Tunnel0            x.x.1.1        x.x.0.2    These are correct, RP and the IP address of the inside interface.

Result of the command: "sh pim join-prune sta"

PIM Average Join/Prune Aggregation for last (1K/10K/50K) packets

Interface          Transmitted             Received

        Ethernet0/0   0 /    0 /    0         0 /    0 /    0

             inside   0 /    0 /    0         0 /    0 /    0

            outside   0 /    0 /    0         0 /    0 /    0

        Ethernet0/1   0 /    0 /    0         0 /    0 /    0

            Tunnel0   0 /    0 /    0         0 /    0 /    0

Result of the command: "sh pim nei"

Neighbor Address  Interface          Uptime    Expires DR pri Bidir

x.x.0.1        inside             00:27:45  00:01:33 1   This is the IP address of the SVI on 6506, inside interface connected.

The 6506 sees hellos from the ASA and periodically sends it's own.  The 6506 sees the IP address of the inside interface of the ASA as a PIM neighbor and it is the DR.  There is a similar connection here using a Juniper firewall which connects to another 6509 (separate network from mine) and PIM works through this to my RP.

Any help would be much appreciated as always.  At this point, all ACLs are pretty much any/any.

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-28-2011 10:56 PM

Hello Mike,

Is there a way that you could post the entire configuration of the

ASA, and also can we have the ip address of the RP?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

oldmike924
Level 1
Level 1
In response to Julio Carvajal

‎12-29-2011 08:10 AM

I had posted my config, but it looks like the answer was creating an access list for the two 225.x.0.0/16 and 225.y.0.0/16 called PIMgroups per a configuration example in the book I didn't buy.  Then pointing the rp-address command to the PIMgroups.  It also took a reload of the ASA to get this working.  It seems to work sporadically however.  I'm not sure it's not related to this client software and other software on the network.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card