I have a problem regarding multicast over the following IPSec environment:
Configuration details: I have "ip pim sparse-dense mode" configured on each interface. The IPSec is configured with ipsec profile on all 3 tunnels with digital certificate authentication. I don't have any rendezvous points configured. Tunnels 1, 2 and 3 are GRE.
The problem: when I activate both IPSec tunnels, 1 and 2, on router A, the multicast on R1 arrives malformed at layer 4 ISO/OSI (the length of the layer 4 PDU is extremely large, greater than the layer 3 PDU and the destination port gets corrupted). If I issue the "mtrace" command to the source S of the multicast from D, the path is D -> C -> A -> S.
-If I shut down any of the two tunnels on router A, everything gets back to normal on R1. So any path the network chooses, either directly from A to C and D (if I shutdown tunnel 2) or via B (A -> B -> C -> D if I shutdown tunnel 1), the multicast data arrives on R1 normally.
-If I let any of the two tunnels on A without IPSec profile configured the data arrives normally on R1.
-Also if I issue the "no ip pim sparse-dense mode" on any of the 1 and 2 tunnels on A, the multicast arrives normally on R1.
-If I manipulate the bandwidth on any of the tunnels (1 or 2) on A from 512 to 256, so that the routing protocol will eliminate most routes through router B, the multicast will again be received normally on R1.
Thanks for answering and sorry for the delay, I wasn't around lately. The problem wasn't routing related. I have managed to solve it by changing the IOS version on router A (Cisco 2811). Now everything works as it should.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...