multicast over site-to-site vpn

Unanswered Question
Nov 12th, 2008
User Badges:

I'm trying to enable multicast between two ASA's connected by a site-to-site vpn tunnel over the internet, like this:


mcast_receiver <---> ASA_remote <---> router <---> ASA_main_office


The multicast source is on the Internet that comes in from a different transit network on the router above.


All traffic is tunneled through the vpn tunnel between ASA's; everything is working except multicast.


Currently I have pim enabled on both asa's, with a rendezvous point set. ACL's are wide open in both directions.


I get this error on the main office ASA:


710005 UDP request discarded from mcast_receiver_ip/port to outside:mcast_address/port


I also see this on the remote ASA:


106012 Deny IP from mcast_receiver_ip to mcast_address, IP options: "Router Alert"



Any help would be greatly appreciated.

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Istvan_Rabai Sun, 11/16/2008 - 01:47
User Badges:
  • Gold, 750 points or more

Hi Michael,


I don't have experience of creating site-to-site VPNs on ASAs, therefore I can only guess.


However, I have experience of it on Cisco routers.


Generally, traditional site-to-site VPNs do not support multicast.

You have to use GRE over IPSec or the new Virtual Tunnel Interfaces to send multicast over an encrypted tunnel when using Cisco routers.


Can this be a solution on ASAs?

I would give it a shot.


Cheers:

Istvan


ippolito Sun, 11/16/2008 - 06:53
User Badges:

Thanks for the reply -- I did some research on VTI's, and it appears that this is only on IOS-capable devices, not on ASA's. Thanks anyway.


Actions

This Discussion