Hi all! I'm blocked with this one, maybe you can help me out:
I have two ASA in failover connected in a vlan towards two CIsco 6500-E, each of these switches have an SVI of that Vlan and also HSRP configured. The ASA has a static route pointing towards the HSRP to reach the Inside network, theres also a DMZ subnet connected to the Firewall. The RP is two hops ahead from the Inside interface and is a Cisco IOS 6500-E switch.
I want to enable multicast on that DMZ, so I enable PIM on the ASA and on the SVI of each 6500-E, the three of them see each other as neighbors. For testing I use the DMZ interface and join it in a multicast group, I now can see that the mroute built the corresponding entry in the table BUT the two 6500-E switches didn't built the entry, as if they didn't noticed it. I surfed the web and found a webpage from Cisco with this exact problem but with 3 routers, not an ASA, the solution they give is to turn on EIGRP on that Vlan and the problem solves, but I don't wan't to enable EIGRP on the ASA because the EIGRP table is huge.
So I've reached an impass...the solution is obvious, if I could somehow add the HSRP virtual router to the PIM neighbor table then everything would be solved, but there's no such command. I'm hearing solutions from anyone but also hope for some CCIE or Cisco Senior Engineer to throw me a mysterious hidden command on the ASA to do this.
Thanks for your time!
Per my understanding, including HSRP virtual address will not help. When PIM join is sent to upstream router it will include teh upstream neighbor address (section 4.9.5 of RFC4601). Any router on receiving it will drop it if the upstream neighbor address is not the local physical address.
I am not a FW expert. But you can check if there is any way to statically configure a mroute pointing towards the physical address of cat6k. Something like "ip mroute 0.0.0.0 0.0.0.0 <nexthop>". This will not impact unicast traffic. I ahve not tried it myself, but you can check if it helps.
Thanks Nagendra, I'm aware of the static change on the mroute, I've also tried that on the ASA but what it happens is the following logic:
- IGMP Join received on DMZ Interface.
- Look for the mroute where to forward the IGMP join towards the RP.
- Found static route towards one of the HSRP participants, not the virtual router.
- Check for RPF, I have a static route towards the virtual router, messages should be received from that IP and not the HSRP participants IP.
- Packet is dropped.
I've checked this logic with Syslog messages the ASA sent and also by reading the protocols and by knowing how the ASA works, adding a static route on the mroute doesn't solves it. There must be a way to add the virtual router to the PIM neighbor, that way RPF wouldn't fail because the Reverse Path is the virutal router.
What if I add a static route towards one of the HSRP participant on the routing table? Again it doesn't work, and that puzzles me why wouldn't work because there you resolve the RPF problem.