Multicast Video Stream across ASA Remote Access VPN Tunnel?

JMakowski · ‎09-14-2008

Hello all.

I think the answer may be "not possible", but thought I'd run it by experts first.

We are planning on multicast video/audio streaming the speech our company president gives during an upcoming "End of Fiscal Year" party.

We will multicast it using our Tandberg VC system to our other 4 remote offices. We have a number of "Far Flung" employees who connect in to our location via VPN. Ideally we would like them to be able to view the stream as well over the VPN tunnel using the Cisco VPN Client and an ASA5520.

Is this possible? And if it is, what's the config?

I enabled Multicast routing on the ASA and I added the specific multicast address for the stream to the split-tunnel networks in the VPN config. I know there's probably more (the multicast group addresses that are sent the join commands?), but before I start exploring that, better to find out if this is possible than to bang my head against the wall when it's not working.

Thanks.

andrew.prince · ‎09-15-2008

James,

You cannot multicast into IPSEC - just not possible. For remote users - the best way would be to access the multicast video by an application.

For the remote offices - you need to encapsulate the multicaste into a unicast transpart - typically a GRE tunnel.

HTH>

FlorianCokl · ‎01-21-2012

Hello Andrew,

and how do you configure the GRE-Tunnel on the VPN-Client?! This is not a Site2Site VPN, but a RA-VPN instead.

andrew.prince · ‎01-22-2012

You cannot create a GRE tunnel to a client, in this instance I think the best way is to nat the multicast to a unicast for the remote client to connect to.

FlorianCokl · ‎01-22-2012

Hello Andrew,

that's what I said - you can't build a GRE Tunnel if the other end is the Cisco VPN-Client - GRE only works with a Site2Site-VPN.

I am not shure how it will work (getting Multicast through RA-VPN), and if it will work at all. I was sifting through my Ciscopress-Library but couldn't find a hint regarding Multicasts through VPN.

FlorianCokl · ‎01-21-2012

Hello Makowski,

as far as I know there's just the 224.0.0.X that is not allowed to pass any layer 3 boundary. The 224 are restricted to the segment exclusively. For instance, routing updates are sent via a multicast in that range, and you shure do not want these to hop over a L3 boundary, a router respectively.

From the Cisco Press Book CCNP BSCI Chapter 17 page 471 and following:

Multicast IP Addressing

in addition to the Class D multicast address space, some IP multicast address have been reserved for particular uses, such as the following:

Link-local addresses (224.0.0.0/24) - used on a local segment (TTL=1) only. Routers do not forward these packets because of TTL. These are known as fixed-group addresses because they are well-known and predefined......

I believe you're running the stream on a 239.0.0.0/8 (Administratively scoped addresses), right? I think it should work. I've never tried it on the other hand.

Multicast routing needs to be enabled (of course) globally - BUT - necessarily on a router the Router (config-if)#ip pim XXXXX command needs to be added on a interface by interface basis, too.

I haven't seen the configuration on the ASA yet. Have you tried to get any channel through a VPN already, with VLC-Player for example?

I'd like to know your experience, please.

FlorianCokl · ‎01-22-2012

Hello Makowski,

I know you run an ASA - but maybe this document

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd80393720_ps6659_Products_White_Paper.html

can provide you an opportunity?