Multicast - dslreports.com

Author	All Replies
multicastblast @alter.net	Multicast Hello all, I'm having some multicast issues. I have PIM-SD mode setup, and I'm manually pointing all the devices to a specific RP. Here's my setup: source-[3750]-[asa]-[3560]-[2811]-{MPLS}-[2811]-[3560(RP)]-[asa]-[3750]-receiver Now, everyone is pointed to the RP and that looks good, and all their PIM neighbor relationships look good too. But the multicast stuff still isn't working and i'm not too sure why. Any ideas?
	to forum · permalink · 2009-07-08 14:11:33 ·
multicastblast @alter.net	let me add a couple mroutes on the right side of the MPLS (next to the rp) : sh ip mroute \| in 225. (, 225.0.0.1), 14w5d/stopped, RP 192.168.22.10, flags: SPF (172.16.32.52, 225.0.0.1), 00:07:08/00:02:02, flags: PR which is good, 172.16.32.52 is the source of the multicast. Here is what i get on my RP: (, 225.0.0.1), 00:03:58/stopped, RP 192.168.22.10, flags: SP (2811 IP, 225.0.0.1), 00:00:25/00:02:34, flags: PT (2811 IP, 225.0.0.1), 00:00:37/00:02:34, flags: PT
	to forum · permalink · 2009-07-08 15:20:02 ·
multicastblast @alter.net	reply to multicastblast I think I've isolated the problem to the ASA. PIM is enabled, and so is multicast routing, and they're pointed to the rp. But it doesn't look like the 225.0.0.1 traffic is passing through. I've also ensured that 225.0.0.1 traffic is allowed through the firewall.
	to forum · permalink · 2009-07-08 16:13:30 ·
multicastblast @alter.net	reply to multicastblast I joined my ASA to the igmp group 225.0.0.1 on both inside and outside interface. I captured all data destined for 225.0.0.1 on my outside interface and this is all that shows 3 packets captured 1: 18:22:26.279129 ASA_IP > 225.0.0.1: ip-proto-2, length 8 2: 18:24:20.036268 ASA_IP > 225.0.0.1: ip-proto-2, length 8 3: 18:24:23.786458 ASA_IP > 225.0.0.1: ip-proto-2, length 8 3 packets shown those are just because I joined the IGMP group on the outside interface, so obviously the multicast is not getting through, but again, i have no clue why. I don't have any bidi filters, or neighbor filters on. When I do a sh pim neighb everything looks right. It shows the neighbors both outside and in.
	to forum · permalink · 2009-07-08 17:26:30 ·
multicastblast @alter.net	reply to multicastblast #sh capture capin 18 packets captured 1: 09:28:39.808857 172.16.32.52.1853 > 225.0.0.1.6110: udp 136 2: 09:28:39.878860 172.16.32.52.1854 > 225.0.0.1.6100: udp 136 3: 09:28:40.178915 172.16.32.52.1852 > 225.0.0.1.6080: udp 100 4: 09:28:40.808918 172.16.32.52.1856 > 225.0.0.1.6120: udp 82 5: 09:28:40.808918 172.16.32.52.1855 > 225.0.0.1.6130: udp 82 6: 09:28:40.868927 172.16.32.52.1847 > 225.0.0.1.6070: udp 1112 7: 09:28:41.808994 172.16.32.52.1849 > 225.0.0.1.6030: udp 1164 #sh capture capout capture capout type raw-data access-list capture interface outside [Capturing - 0 bytes] #sh run \| grep multi multicast-routing asa1-suff-va(config)# sh run interface g0/0 ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 192.168.x.x 255.255.255.0 igmp join-group 225.0.0.1 asa1-suff-va(config)# sh run interface g0/1 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.x.x 255.255.255.248 standby 192.168.x.x igmp join-group 225.0.0.1 asa1-suff-va(config)# sh run \| grep pim pim rp-address 192.168.x.x So I'm pretty much stumped. Multicast is running, everything looks like it should work, but as you can see none of the multicast packets are exiting the ASA's interface.
	to forum · permalink · 2009-07-09 09:45:43 ·
aryoba Premium,MVM join:2002-08-22	Please post configuration of ALL devices (routers, switches, and ASA).
	to forum · permalink · · 2009-07-09 10:50:52 ·
rolande Certifiable Premium,Mod join:2002-05-24 Powell, OH clubs: Host: Linksys AT&T Midwest	reply to multicastblast I would be most interested to see the full ASA config as that is where the packets seem to disappear. I don't believe you should have to statically join groups on the ASA interfaces to make it work if it is properly participating in PIM. You have enabled multicast-routing but don't you have to enable PIM on each interface you want to participate in the multicast path?
	to forum · permalink · · 2009-07-09 23:10:18 ·
multicastblast @alter.net	rolande, you would think that you would have to setup PIM on the interfaces just like a switch or router, right? Well the ASA doesn't really have that option ex: asa1(config-if)# pim ? interface mode commands/options: bidir-neighbor-filter PIM bidir capable peering filter dr-priority PIM Hello DR priority hello-interval PIM neighbor Hello announcement interval join-prune-interval PIM periodic Join-Prune announcement interval neighbor-filter PIM peering filter <cr> configure mode commands/options: accept-register Register accept filter old-register-checksum Generate registers compatible with older IOS versions rp-address Configure Sparse-Mode Rendezvous Point spt-threshold Configure threshold for SPT switchover on last-hop here's most of the ASA config (omitted certain parts because it is lengthy) ASA Version 8.0(2) ! hostname asa1 domain-name mapcommunications.com enable password xxxxxxxxx encrypted multicast-routing no names dns-guard ! interface GigabitEthernet0/0 nameif Outside security-level 0 ip address 192.168.22.1 255.255.255.0 standby 192.168.22.2 ! interface GigabitEthernet0/1 nameif Inside security-level 100 ip address 192.168.21.1 255.255.255.248 standby 192.168.21.2 ! interface GigabitEthernet0/2 description LAN/STATE Failover Interface ! interface GigabitEthernet0/3 nameif DMZ security-level 50 ip address 192.168.26.1 255.255.255.0 ! interface Management0/0 nameif Management security-level 100 ip address 192.168.2.75 255.255.255.0 standby 192.168.2.76 ! pim rp-address 192.168.22.4 ! time-range AfterHours absolute start 15:00 13 May 2008 periodic daily 0:00 to 8:59 periodic daily 11:30 to 23:59 boot system disk0:/asa802-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name mapcommunications.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside_access_in extended permit ip any 192.168.26.0 255.255.255.0 access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit ip any host 225.0.0.1 access-list outside_access_in extended permit ip any host 225.0.0.2 access-list outside_access_in extended permit ip any host 224.0.0.39 access-list outside_access_in extended permit ip any host 224.0.0.40 access-list outside_access_in extended deny ip any any access-list DMZ_access_in extended permit ip any any access-list Inside_access_in extended permit ip any 192.168.26.0 255.255.255.0 access-list Inside_access_in extended permit ip any host 225.0.0.1 access-list Inside_access_in extended permit ip any any access-list DefaultRAGroup_splitTunnelAcl standard permit any access-list DMZ_nat_static extended permit ip host 192.168.26.145 any access-list DMZ_nat_static_1 extended permit ip host 192.168.26.143 any access-list syslog extended permit udp any host 172.16.16.254 eq syslog access-list tac extended permit ip any host 172.16.25.23 access-list tac extended permit ip host 172.16.25.23 any access-list tac1 extended permit igmp any any access-list capture extended permit ip any host 225.0.0.1 access-list capture extended permit ip any host 225.0.0.2 access-list split_tunnel extended permit ip 192.168.36.0 255.255.255.128 any pager lines 24 logging enable logging buffer-size 65536 logging asdm-buffer-size 512 logging monitor warnings logging buffered warnings logging trap errors logging asdm notifications logging host Inside 172.16.0.254 logging class rip trap debugging logging rate-limit 1 60 level 0 logging rate-limit 1 60 level 1 logging rate-limit 1 60 level 2 logging rate-limit 1 60 level 3 logging rate-limit 1 60 level 4 logging rate-limit 1 60 level 5 logging rate-limit 1 60 level 6 logging rate-limit 1 60 level 7 logging rate-limit 1 10800 message 410001 logging rate-limit 1 10800 message 313005 logging rate-limit 1 10800 message 106023 logging rate-limit 1 10800 message 106100 logging rate-limit 1 10800 message 733100 mtu Outside 1500 mtu Inside 1500 mtu DMZ 1500 mtu Management 1500 ip local pool RemoteAccess 192.168.36.2-192.168.36.127 mask 255.255.255.128 failover failover lan unit primary failover lan interface Failover GigabitEthernet0/2 failover link Failover GigabitEthernet0/2 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin asdm history enable arp timeout 14400 nat (Inside) 0 access-list any static (DMZ,Inside) x.x.x.x access-list DMZ_nat_static_2 static (DMZ,Inside) x.x.x.x access-list DMZ_nat_static static (DMZ,Inside) x.x.x.x access-list DMZ_nat_static_1 access-group outside_access_in in interface Outside access-group Inside_access_in in interface Inside access-group DMZ_access_in in interface DMZ access-group Management_access_in in interface Management ! router rip network 192.168.21.0 network 192.168.22.0 network 192.168.26.0 network 192.168.36.0 passive-interface DMZ passive-interface Management version 2 no auto-summary ! route Inside 10.100.200.0 255.255.255.0 192.168.21.3 1 timeout xlate 3:00:00 timeout conn 24:12:00 half-closed 24:12:00 udp 0:10:00 icmp 0:00:05 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server vpn protocol ldap aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL http server enable http 10.100.200.0 255.255.255.0 DMZ http 172.16.16.0 255.255.240.0 Inside http 192.168.2.69 255.255.255.255 Management http 172.16.25.23 255.255.255.255 Inside http 172.16.25.3 255.255.255.255 Inside http 172.16.0.0 255.255.128.0 Outside http 10.100.200.0 255.255.255.0 Inside snmp-server host Inside 172.16.0.254 community nonpublic version 2c snmp-server host Inside 172.16.16.254 community nonpublic version 2c no snmp-server location no snmp-server contact crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_AES-256_SHA crypto map Outside_map 1 match address Outside_cryptomap_1 crypto map Outside_map 1 set peer 192.168.37.1 crypto map Outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 2 match address Outside_cryptomap_2 crypto map Outside_map 2 set peer 192.168.57.2 crypto map Outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto isakmp enable Outside crypto isakmp enable Inside crypto isakmp enable DMZ crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication pre-share encryption 3des hash md5 group 2 lifetime 43200 no crypto isakmp nat-traversal client-update enable telnet 172.16.25.4 255.255.255.255 Inside telnet timeout 60 ssh 172.16.25.23 255.255.255.255 Inside ssh 172.16.25.4 255.255.255.255 Inside ssh timeout 15 console timeout 0 management-access Management vpn load-balancing interface lbpublic DMZ interface lbprivate DMZ threat-detection basic-threat threat-detection statistics ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect ipsec-pass-thru Pass-Through description IPSEC Pass-Through inspection map parameters esp timeout 0:45:00 ah timeout 0:45:00 policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 556 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ipsec-pass-thru Pass-Through inspect pptp ! service-policy global_policy global tftp-server Inside 172.16.17.58 / group-policy DefaultRAGroup attributes vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl group-policy DfltGrpPolicy attributes group-policy vpn_client internal group-policy vpn_client attributes dns-server value 172.16.17.55 172.16.17.56 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value split_tunnel address-pools value RemoteAccess tunnel-group DefaultRAGroup general-attributes address-pool RemoteAccess default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group 192.168.37.1 type ipsec-l2l tunnel-group 192.168.37.1 ipsec-attributes pre-shared-key * tunnel-group 192.168.57.2 type ipsec-l2l tunnel-group 192.168.57.2 ipsec-attributes pre-shared-key * tunnel-group vpn_client type remote-access tunnel-group vpn_client general-attributes default-group-policy vpn_client tunnel-group vpn_client ipsec-attributes pre-shared-key * prompt hostname context Cryptochecksum:5dd0ec8785525ef2360bba4f853e301f : end
	to forum · permalink · 2009-07-10 09:18:55 ·
aryoba Premium,MVM join:2002-08-22	Can you also post full configuration of other devices (routers and switches)? This is to make sure that everything is in place.
	to forum · permalink · · 2009-07-10 11:18:16 ·
multicastblast @alter.net	all of them? because I have around 16 devices that this is going over. 4 at each site, with duplicate devices for failover. I'm mainly concerned with this ASA right now because according to this cisco tutorial (scroll towards the bottom) you can capture multicast both outgoing and incoming. When I setup capturing on my asa I only see the incoming, and it's getting dropped before it gets sent out for some reason.
	to forum · permalink · 2009-07-10 11:30:17 ·
aryoba Premium,MVM join:2002-08-22	Without seeing the configuration of all related devices, it would be hard to say what is what
	to forum · permalink · · 2009-07-10 14:57:06 ·


Friday, 27-Nov 02:22:12	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF