asa 55xx multicast

Unanswered Question
Sep 26th, 2008
User Badges:

it was simpple auto-rp scheme with 'ip pim sparse-mode' on interconnected interfaces and all worked fine

now i put asa 5540 between corporate net and local net and turned multicast-routing on

switch with multicast listeners wrote me:

Sep 25 16:15:16 NOVST: PIM(0):Building Graft message for 239.192.99.37, GigabitEthernet1/0/18: no entries


here's switch which has multicast source

c3750#sh ip igmp groups 239.192.99.37

IGMP Connected Group Membership

Group Address Interface Uptime Expires Last

Reporter

239.192.99.37 GigabitEthernet1/0/4 02:38:43 00:02:04 172.16.8.95

c3750#sh ip pim neighbor

PIM Neighbor Table

Neighbor Interface Uptime/Expires Ver DR

Address

Prio/Mode

172.16.251.33 GigabitEthernet1/0/24 02:38:52/00:01:34 v2 1 /


here's output from ASA:

ciscoasa# sh pim neighbor

Neighbor Address Interface Uptime Expires DR pri Bidir

1.2.3.4 7206 03:59:44 00:01:26 1 (DR)

172.16.1.248 localnet 03:59:44 00:01:39 1 (DR)

172.16.251.34 corporate 03:59:44 00:01:39 1 (DR)


switch who has listeners:


c3750-fligel#sh ip pim neighbor

PIM Neighbor Table

Neighbor Interface Uptime/Expires Ver DR

Address Prio/Mode

172.16.1.19 Vlan2 1d02h/00:01:40 v2 1 /


c3750-fligel#sh ip igmp groups 239.192.99.37

IGMP Connected Group Membership

Group Address Interface Uptime Expires Last Reporter

239.192.99.37 Vlan2 00:00:01 00:02:58 172.16.1.189

c3750-fligel#sh ip igmp groups 239.192.99.37

IGMP Connected Group Membership

Group Address Interface Uptime Expires Last Reporter

c3750-fligel#sh ip igmp groups 239.192.99.37

IGMP Connected Group Membership

Group Address Interface Uptime Expires Last Reporter

^^ seems its a client who trying to join group.



i'd read http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807631d2.shtml

before configuring and i have upgraded 7.x sofware to 8.0(3)


if i spam `sh mroute` on asa i saw:

ciscoasa# sh mroute | i 239.192.99

ciscoasa# sh mroute | i 239.192.99

(*, 239.192.99.37), 00:00:00/never, RP 0.0.0.0, flags: SPC

(*, 239.192.99.218), 00:00:00/never, RP 0.0.0.0, flags: SPC

ciscoasa# sh mroute | i 239.192.99

ciscoasa# sh mroute | i 239.192.99


listeners on switch with multicast source can join this group (there are 15 subdivisions connected by another switches)

seems like an ASA issue but i cant understand what i need to do to make c3750-fligel get joined.

p.s. i have 'ip pim sparse-mode' on each interface connected to ASA cause i found that sparse-dense-mode doesnt supported by ASA.

p.p.s i have 'same-security-traffic permit inter-interface

same-security-traffic permit intra-interface' options configured and localnet and corporate have same security-level

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (2 ratings)
Loading.
Moorlo Fri, 09/26/2008 - 01:17
User Badges:

Andrew, thank you for link i've posted before.

I'd already read this and did all that recommended.

have you read the below and made sure your config allows:-


These statements hold true for multicast traffic through the firewall:


*


If an access-list is applied to the interface where the multicast traffic is received, then the access control list (ACL) must explicitly permit the traffic. If no access-list is applied to the interface, the explicit ACL entry that permits the multicast traffic is not necessary.

*


The multicast data packets are always subjected to the Reverse Path Forwarding check of the firewall, regardless of whether the reverse-path forward check command is configured on the interface. Therefore, if there is no route on the interface that the packet was received on to the source of the multicast packet, then the packet is dropped.

*


If there is no route on the interface back to the source of the multicast packets, use the mroute command to instruct the firewall not to drop the packets.


HTH>

Moorlo Fri, 09/26/2008 - 01:46
User Badges:

yes i did read this article even before i started configuring

*

there are no access-lists on corporate and localnet interfaces, cause same-security-traffic permit inter-interface option enabled and these interfaces have same security-level of 100

*

i have ospf routing configured between asa and connected switches. packets, other than multicast pass fine.

*

please, tell how can i find out is there a route on the interface back to the source?

i had even put command 'mroute 172.16.8.95 255.255.255.255 corporate' but nothing changed.

Actions

This Discussion