Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multicast Forwarding issues

We have recently set up Multicast forwarding between our main office and a remote location via a site-to-site vpn.

The Multicast forwarding is working from the remote location back to the main office, however, the system we need to multicast in the opposite direction cannot do so.

In the firewall logs at the main office, we are seeing the following:

And the traffic is not traversing the VPN as it should to the remote location.

I have static routes set up for the multicast traffic on both sides properly.

We are not seeing this denied messages on the remote firewall.



This thread was automatically locked due to age.
  • Hi  ,

    Thank you for reaching out to the community, can you share the Packet capture, for the multicast traffic when the traffic initiated from both the sites ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • From the Main firewall:

    From the remote firewall:

    The host on the remote end can see the host at the main site, but the host here at our main site cannot see the remote host.

    We are working with an IP based PA system trying to get the two nodes to see each other.

  • I guess a better question is: Is bi-directional multicast forwarding even possible with the XGS series of firewalls?  From looking at these packet captures more, communication seems to be happening, but not completely in both directions.

  • Hi  

    Can you verify if there is any conflicting parameters in the firewall rule for this VPN connection based on the incoming packet capture? Also check the sequence of the NAT rules present. Please attach the NAT rule page screenshot.

  • The VPN rules are standard, and still working normally as the VPN is up and running.  The instructions I followed to enable the Multicast forwarding didn't say anything about adjusting vpn rules, nor did it mention NAT.  

    The only NAT rule we have is the standard Nat for inside clients to access the web/outside addresses on both sides.

  • This is what I think, may be I am wrong: Multicast traffic is not symmetric unlike unicast; Multicast will have one source sending traffic to a group and multiple receives gets traffic; try repeating the same config in the reverse direction also - like injecting traffic sent on to group address via the IPSec tunnel on XG2 and on XG1 source interface as IPsec tunnel and destination as LAN port.

  • I did have multicast routes on both ends to accommodate for the multicast traffic in both directions, but that did not seem to help.

    For example, the two systems I need to have bidirectional communication between them are 192.168.1.196 (Main site) and 192.168.38.99 (Remote site)

    The Multicast routes were as follows:

    Main:

    Source  IP         Multicast IP    Source Interface  Destination Interface

    192.168.1.196   233.1.1.5        Port 1                   IPSec Connection

    192.168.38.99  239.1.1.5        RemoteIPSec      Port 1

    Remote

    192.168.1.196  239.1.1.5      MainIPSec               Port 1

    192.168.38.99  239.1.1.5       Port 1                      IPSec Connection

  • So, I may have identified the problem...

    In the instructions I used to set up Multicast Forwarding via the Site-to-Site VPN, in the actual VPN setup, it had the multicast network in one direction only on each end Remote for HQ, and Local for the remote site.

    When I went to add them in the reverse direction, I get a warning below the Local network settings saying to "Consider using tunnel interface" as shown below:

    This view is of the remote firewall.  Will this cause an issue with the Site-to-Site connection if I apply this?

  • And I would say that is the issue, and the configuration can't be saved this way.  I get the following when trying to apply it to the remote firewall:

    So bi-directional Multicast is not possible with Site-to-Site connections?