Topic 'Multicast' in forum 'Cisco' - dslreports.com

Re: Multicast

Fri, 10 Jul 2009 14:57:06 EDT

aryoba posted : Without seeing the configuration of all related devices, it would be hard to say what is what :)

Re: Multicast

Fri, 10 Jul 2009 11:30:17 EDT

anon posted : all of them? because I have around 16 devices that this is going over. 4 at each site, with duplicate devices for failover.

I'm mainly concerned with this ASA right now because according to this cisco tutorial (scroll towards the bottom) you can capture multicast both outgoing and incoming. When I setup capturing on my asa I only see the incoming, and it's getting dropped before it gets sent out for some reason.

Re: Multicast

Fri, 10 Jul 2009 11:18:16 EDT

aryoba posted : Can you also post full configuration of other devices (routers and switches)? This is to make sure that everything is in place.

Re: Multicast

Fri, 10 Jul 2009 09:18:55 EDT

anon posted : rolande, you would think that you would have to setup PIM on the interfaces just like a switch or router, right? Well the ASA doesn't really have that option

ex:

asa1(config-if)# pim ? interface mode commands/options:  bidir-neighbor-filter  PIM bidir capable peering filter  dr-priority            PIM Hello DR priority  hello-interval         PIM neighbor Hello announcement interval  join-prune-interval    PIM periodic Join-Prune announcement interval  neighbor-filter        PIM peering filter   configure mode commands/options:  accept-register        Register accept filter  old-register-checksum  Generate registers compatible with older IOS versions  rp-address             Configure Sparse-Mode Rendezvous Point  spt-threshold          Configure threshold for SPT switchover on last-hop

here's most of the ASA config (omitted certain parts because it is lengthy)

ASA Version 8.0(2)!hostname asa1domain-name mapcommunications.comenable password xxxxxxxxx  encryptedmulticast-routingno namesdns-guard!interface GigabitEthernet0/0 nameif Outside security-level 0 ip address 192.168.22.1 255.255.255.0 standby 192.168.22.2!interface GigabitEthernet0/1 nameif Inside security-level 100 ip address 192.168.21.1 255.255.255.248 standby 192.168.21.2!interface GigabitEthernet0/2 description LAN/STATE Failover Interface!interface GigabitEthernet0/3 nameif DMZ security-level 50 ip address 192.168.26.1 255.255.255.0!interface Management0/0 nameif Management security-level 100 ip address 192.168.2.75 255.255.255.0 standby 192.168.2.76!pim rp-address 192.168.22.4!time-range AfterHours absolute start 15:00 13 May 2008 periodic daily 0:00 to 8:59 periodic daily 11:30 to 23:59boot system disk0:/asa802-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns server-group DefaultDNS domain-name mapcommunications.comsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceaccess-list outside_access_in extended permit ip any 192.168.26.0 255.255.255.0access-list outside_access_in extended permit icmp any anyaccess-list outside_access_in extended permit ip any host 225.0.0.1access-list outside_access_in extended permit ip any host 225.0.0.2access-list outside_access_in extended permit ip any host 224.0.0.39access-list outside_access_in extended permit ip any host 224.0.0.40access-list outside_access_in extended deny ip any anyaccess-list DMZ_access_in extended permit ip any anyaccess-list Inside_access_in extended permit ip any 192.168.26.0 255.255.255.0access-list Inside_access_in extended permit ip any host 225.0.0.1access-list Inside_access_in extended permit ip any anyaccess-list DefaultRAGroup_splitTunnelAcl standard permit anyaccess-list DMZ_nat_static extended permit ip host 192.168.26.145 anyaccess-list DMZ_nat_static_1 extended permit ip host 192.168.26.143 anyaccess-list syslog extended permit udp any host 172.16.16.254 eq syslogaccess-list tac extended permit ip any host 172.16.25.23access-list tac extended permit ip host 172.16.25.23 anyaccess-list tac1 extended permit igmp any anyaccess-list capture extended permit ip any host 225.0.0.1access-list capture extended permit ip any host 225.0.0.2access-list split_tunnel extended permit ip 192.168.36.0 255.255.255.128 anypager lines 24logging enablelogging buffer-size 65536logging asdm-buffer-size 512logging monitor warningslogging buffered warningslogging trap errorslogging asdm notificationslogging host Inside 172.16.0.254logging class rip trap debugginglogging rate-limit 1 60 level 0logging rate-limit 1 60 level 1logging rate-limit 1 60 level 2logging rate-limit 1 60 level 3logging rate-limit 1 60 level 4logging rate-limit 1 60 level 5logging rate-limit 1 60 level 6logging rate-limit 1 60 level 7logging rate-limit 1 10800 message 410001logging rate-limit 1 10800 message 313005logging rate-limit 1 10800 message 106023logging rate-limit 1 10800 message 106100logging rate-limit 1 10800 message 733100mtu Outside 1500mtu Inside 1500mtu DMZ 1500mtu Management 1500ip local pool RemoteAccess 192.168.36.2-192.168.36.127 mask 255.255.255.128failoverfailover lan unit primaryfailover lan interface Failover GigabitEthernet0/2failover link Failover GigabitEthernet0/2icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-602.binasdm history enablearp timeout 14400nat (Inside) 0 access-list anystatic (DMZ,Inside) x.x.x.x  access-list DMZ_nat_static_2static (DMZ,Inside) x.x.x.x  access-list DMZ_nat_staticstatic (DMZ,Inside) x.x.x.x  access-list DMZ_nat_static_1access-group outside_access_in in interface Outsideaccess-group Inside_access_in in interface Insideaccess-group DMZ_access_in in interface DMZaccess-group Management_access_in in interface Management!router rip network 192.168.21.0 network 192.168.22.0 network 192.168.26.0 network 192.168.36.0 passive-interface DMZ passive-interface Management version 2 no auto-summary!route Inside 10.100.200.0 255.255.255.0 192.168.21.3 1timeout xlate 3:00:00timeout conn 24:12:00 half-closed 24:12:00 udp 0:10:00 icmp 0:00:05timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolutedynamic-access-policy-record DfltAccessPolicyaaa-server vpn protocol ldapaaa authentication telnet console LOCALaaa authentication ssh console LOCALhttp server enablehttp 10.100.200.0 255.255.255.0 DMZhttp 172.16.16.0 255.255.240.0 Insidehttp 192.168.2.69 255.255.255.255 Managementhttp 172.16.25.23 255.255.255.255 Insidehttp 172.16.25.3 255.255.255.255 Insidehttp 172.16.0.0 255.255.128.0 Outsidehttp 10.100.200.0 255.255.255.0 Insidesnmp-server host Inside 172.16.0.254 community nonpublic version 2csnmp-server host Inside 172.16.16.254 community nonpublic version 2cno snmp-server locationno snmp-server contactcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmaccrypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmaccrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmaccrypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmaccrypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmaccrypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmaccrypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmaccrypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfscrypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_AES-256_SHAcrypto map Outside_map 1 match address Outside_cryptomap_1crypto map Outside_map 1 set peer 192.168.37.1crypto map Outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map Outside_map 2 match address Outside_cryptomap_2crypto map Outside_map 2 set peer 192.168.57.2crypto map Outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto isakmp enable Outsidecrypto isakmp enable Insidecrypto isakmp enable DMZcrypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400crypto isakmp policy 40 authentication pre-share encryption 3des hash md5 group 2 lifetime 43200no crypto isakmp nat-traversalclient-update enabletelnet 172.16.25.4 255.255.255.255 Insidetelnet timeout 60ssh 172.16.25.23 255.255.255.255 Insidessh 172.16.25.4 255.255.255.255 Insidessh timeout 15console timeout 0management-access Managementvpn load-balancing interface lbpublic DMZ interface lbprivate DMZthreat-detection basic-threatthreat-detection statistics!class-map inspection_default match default-inspection-traffic!!policy-map type inspect ipsec-pass-thru Pass-Through description IPSEC Pass-Through inspection map parameters  esp timeout 0:45:00  ah timeout 0:45:00policy-map type inspect dns migrated_dns_map_1 parameters  message-length maximum 556policy-map global_policy class inspection_default  inspect dns migrated_dns_map_1  inspect ftp  inspect h323 h225  inspect h323 ras  inspect netbios  inspect rsh  inspect rtsp  inspect skinny  inspect esmtp  inspect sqlnet  inspect sunrpc  inspect tftp  inspect sip  inspect xdmcp  inspect ipsec-pass-thru Pass-Through  inspect pptp!service-policy global_policy globaltftp-server Inside 172.16.17.58 /group-policy DefaultRAGroup attributes vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAclgroup-policy DfltGrpPolicy attributesgroup-policy vpn_client internalgroup-policy vpn_client attributes dns-server value 172.16.17.55 172.16.17.56 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value split_tunnel address-pools value RemoteAccesstunnel-group DefaultRAGroup general-attributes address-pool RemoteAccess default-group-policy DefaultRAGrouptunnel-group DefaultRAGroup ipsec-attributes pre-shared-key *tunnel-group 192.168.37.1 type ipsec-l2ltunnel-group 192.168.37.1 ipsec-attributes pre-shared-key *tunnel-group 192.168.57.2 type ipsec-l2ltunnel-group 192.168.57.2 ipsec-attributes pre-shared-key *tunnel-group vpn_client type remote-accesstunnel-group vpn_client general-attributes default-group-policy vpn_clienttunnel-group vpn_client ipsec-attributes pre-shared-key *prompt hostname contextCryptochecksum:5dd0ec8785525ef2360bba4f853e301f: end

Re: Multicast

Thu, 09 Jul 2009 23:10:18 EDT

rolande posted : I would be most interested to see the full ASA config as that is where the packets seem to disappear. I don't believe you should have to statically join groups on the ASA interfaces to make it work if it is properly participating in PIM. You have enabled multicast-routing but don't you have to enable PIM on each interface you want to participate in the multicast path?

Re: Multicast

Thu, 09 Jul 2009 10:50:52 EDT

aryoba posted : Please post configuration of ALL devices (routers, switches, and ASA).

Re: Multicast

Thu, 09 Jul 2009 09:45:43 EDT

anon posted : #sh capture capin
18 packets captured
1: 09:28:39.808857 172.16.32.52.1853 > 225.0.0.1.6110: udp 136
2: 09:28:39.878860 172.16.32.52.1854 > 225.0.0.1.6100: udp 136
3: 09:28:40.178915 172.16.32.52.1852 > 225.0.0.1.6080: udp 100
4: 09:28:40.808918 172.16.32.52.1856 > 225.0.0.1.6120: udp 82
5: 09:28:40.808918 172.16.32.52.1855 > 225.0.0.1.6130: udp 82
6: 09:28:40.868927 172.16.32.52.1847 > 225.0.0.1.6070: udp 1112
7: 09:28:41.808994 172.16.32.52.1849 > 225.0.0.1.6030: udp 1164

#sh capture capout
capture capout type raw-data access-list capture interface outside [Capturing - 0 bytes]

#sh run | grep multi
multicast-routing

asa1-suff-va(config)# sh run interface g0/0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.x.x 255.255.255.0
igmp join-group 225.0.0.1

asa1-suff-va(config)# sh run interface g0/1
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.x.x 255.255.255.248 standby 192.168.x.x
igmp join-group 225.0.0.1

asa1-suff-va(config)# sh run | grep pim
pim rp-address 192.168.x.x

So I'm pretty much stumped. Multicast is running, everything looks like it should work, but as you can see none of the multicast packets are exiting the ASA's interface.

Re: Multicast

Wed, 08 Jul 2009 17:26:30 EDT

anon posted : I joined my ASA to the igmp group 225.0.0.1 on both inside and outside interface. I captured all data destined for 225.0.0.1 on my outside interface and this is all that shows

3 packets captured
1: 18:22:26.279129 ASA_IP > 225.0.0.1: ip-proto-2, length 8
2: 18:24:20.036268 ASA_IP > 225.0.0.1: ip-proto-2, length 8
3: 18:24:23.786458 ASA_IP > 225.0.0.1: ip-proto-2, length 8
3 packets shown

those are just because I joined the IGMP group on the outside interface, so obviously the multicast is not getting through, but again, i have no clue why.

I don't have any bidi filters, or neighbor filters on. When I do a sh pim neighb everything looks right. It shows the neighbors both outside and in.

Re: Multicast

Wed, 08 Jul 2009 16:13:30 EDT

anon posted : I think I've isolated the problem to the ASA. PIM is enabled, and so is multicast routing, and they're pointed to the rp. But it doesn't look like the 225.0.0.1 traffic is passing through.

I've also ensured that 225.0.0.1 traffic is allowed through the firewall.

Re: Multicast

Wed, 08 Jul 2009 15:20:02 EDT

anon posted : let me add a couple mroutes

on the right side of the MPLS (next to the rp) :

sh ip mroute | in 225.
(*, 225.0.0.1), 14w5d/stopped, RP 192.168.22.10, flags: SPF
(172.16.32.52, 225.0.0.1), 00:07:08/00:02:02, flags: PR

which is good, 172.16.32.52 is the source of the multicast. Here is what i get on my RP:

(*, 225.0.0.1), 00:03:58/stopped, RP 192.168.22.10, flags: SP
(2811 IP, 225.0.0.1), 00:00:25/00:02:34, flags: PT
(2811 IP, 225.0.0.1), 00:00:37/00:02:34, flags: PT

Multicast

Wed, 08 Jul 2009 14:11:33 EDT

anon posted : Hello all,

I'm having some multicast issues. I have PIM-SD mode setup, and I'm manually pointing all the devices to a specific RP. Here's my setup:

source-[3750]-[asa]-[3560]-[2811]-{MPLS}-[2811]-[3560(RP)]-[asa]-[3750]-receiver

Now, everyone is pointed to the RP and that looks good, and all their PIM neighbor relationships look good too. But the multicast stuff still isn't working and i'm not too sure why. Any ideas?