Multicast Video Stream across ASA Remote Access VPN Tunnel?

Unanswered Question
Sep 14th, 2008
User Badges:

Hello all.

I think the answer may be "not possible", but thought I'd run it by experts first.

We are planning on multicast video/audio streaming the speech our company president gives during an upcoming "End of Fiscal Year" party.

We will multicast it using our Tandberg VC system to our other 4 remote offices. We have a number of "Far Flung" employees who connect in to our location via VPN. Ideally we would like them to be able to view the stream as well over the VPN tunnel using the Cisco VPN Client and an ASA5520.

Is this possible? And if it is, what's the config?

I enabled Multicast routing on the ASA and I added the specific multicast address for the stream to the split-tunnel networks in the VPN config. I know there's probably more (the multicast group addresses that are sent the join commands?), but before I start exploring that, better to find out if this is possible than to bang my head against the wall when it's not working.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
FlorianCokl Sat, 01/21/2012 - 16:41
User Badges:

Hello Andrew,

and how do you configure the GRE-Tunnel on the VPN-Client?! This is not a Site2Site VPN, but a RA-VPN instead.

FlorianCokl Sun, 01/22/2012 - 11:05
User Badges:

Hello Andrew,

that's what I said - you can't build a GRE Tunnel if the other end is the Cisco VPN-Client - GRE only works with a Site2Site-VPN.

I am not shure how it will work (getting Multicast through RA-VPN), and if it will work at all. I was sifting through my Ciscopress-Library but couldn't find a hint regarding Multicasts through VPN.

FlorianCokl Sat, 01/21/2012 - 17:35
User Badges:

Hello Makowski,

as far as I know there's just the 224.0.0.X that is not allowed to pass any layer 3 boundary. The 224 are restricted to the segment exclusively. For instance, routing updates are sent via a multicast in that range, and you shure do not want these to hop over a L3 boundary, a router respectively.

From the Cisco Press Book CCNP BSCI Chapter 17 page 471 and following:

Multicast IP Addressing

in addition to the Class D multicast address space, some IP multicast address have been reserved for particular uses, such as the following:

  • Link-local addresses ( - used on a local segment (TTL=1) only. Routers do not forward these packets because of TTL. These are known as fixed-group addresses because they are well-known and predefined......

I believe you're running the stream on a (Administratively scoped addresses), right? I think it should work. I've never tried it on the other hand.

Multicast routing needs to be enabled (of course) globally - BUT - necessarily on a router the Router (config-if)#ip pim XXXXX command needs to be added on a interface by interface basis, too.

I haven't seen the configuration on the ASA yet. Have you tried to get any channel through a VPN already, with VLC-Player for example?

I'd like to know your experience, please.


This Discussion