ASA 5505 8.2(5), ASDM 6.4(5). I have a segmented network, VLANs separated by SVIs on 6506. Every SVI is configured to use pim sparse mode. The RP is an SVI on the 6506. I attached the inside int of the ASA to a new SVI I created. The outside int of the ASA has a workstation w/ client software for viewing multicast video and a decoder to hand off analog video. The workstation connects to the server fine, the client has software configured to drag and drop multicast nodes. It actually tells a video encoder/decoder this is what I want to see, join me to the multicast group.
This works fine on the internal networks, but not off the outside int of the ASA. I can telnet through the ASA to the decoder and see that yes, it has the correct two multicast addresses for the video it ought to be displaying but the decoder will have no video streams provided to it. Initially, the ASA has multicast routing enabled, PIM enabled for both inside and outside int, igmp and multicast forwarding enabled for both int. The ASA knows the RP address.
This config produces no video stream to the decoder. In order to see any video I have to manually add (join-group) multicast entries AND multicast forwarding has to be enabled for the inside interface.
Here is some output from the ASA:
Result of the command: "sh pim tunnel"
Interface RP Address Source Address
Tunnel0 x.x.1.1 x.x.0.2 These are correct, RP and the IP address of the inside interface.
Result of the command: "sh pim join-prune sta"
PIM Average Join/Prune Aggregation for last (1K/10K/50K) packets
Interface Transmitted Received
Ethernet0/0 0 / 0 / 0 0 / 0 / 0
inside 0 / 0 / 0 0 / 0 / 0
outside 0 / 0 / 0 0 / 0 / 0
Ethernet0/1 0 / 0 / 0 0 / 0 / 0
Tunnel0 0 / 0 / 0 0 / 0 / 0
Result of the command: "sh pim nei"
Neighbor Address Interface Uptime Expires DR pri Bidir
x.x.0.1 inside 00:27:45 00:01:33 1 This is the IP address of the SVI on 6506, inside interface connected.
The 6506 sees hellos from the ASA and periodically sends it's own. The 6506 sees the IP address of the inside interface of the ASA as a PIM neighbor and it is the DR. There is a similar connection here using a Juniper firewall which connects to another 6509 (separate network from mine) and PIM works through this to my RP.
Any help would be much appreciated as always. At this point, all ACLs are pretty much any/any.
I had posted my config, but it looks like the answer was creating an access list for the two 225.x.0.0/16 and 225.y.0.0/16 called PIMgroups per a configuration example in the book I didn't buy. Then pointing the rp-address command to the PIMgroups. It also took a reload of the ASA to get this working. It seems to work sporadically however. I'm not sure it's not related to this client software and other software on the network.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...