multicast over site-to-site vpn

ippolito · ‎11-12-2008

I'm trying to enable multicast between two ASA's connected by a site-to-site vpn tunnel over the internet, like this:

mcast_receiver <---> ASA_remote <---> router <---> ASA_main_office

The multicast source is on the Internet that comes in from a different transit network on the router above.

All traffic is tunneled through the vpn tunnel between ASA's; everything is working except multicast.

Currently I have pim enabled on both asa's, with a rendezvous point set. ACL's are wide open in both directions.

I get this error on the main office ASA:

710005 UDP request discarded from mcast_receiver_ip/port to outside:mcast_address/port

I also see this on the remote ASA:

106012 Deny IP from mcast_receiver_ip to mcast_address, IP options: "Router Alert"

Any help would be greatly appreciated.

Thanks.

Istvan_Rabai · ‎11-16-2008

Hi Michael,

I don't have experience of creating site-to-site VPNs on ASAs, therefore I can only guess.

However, I have experience of it on Cisco routers.

Generally, traditional site-to-site VPNs do not support multicast.

You have to use GRE over IPSec or the new Virtual Tunnel Interfaces to send multicast over an encrypted tunnel when using Cisco routers.

Can this be a solution on ASAs?

I would give it a shot.

Cheers:

Istvan

ippolito · ‎11-16-2008

Thanks for the reply -- I did some research on VTI's, and it appears that this is only on IOS-capable devices, not on ASA's. Thanks anyway.