This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multicast Forwarding issues

We have recently set up Multicast forwarding between our main office and a remote location via a site-to-site vpn.

The Multicast forwarding is working from the remote location back to the main office, however, the system we need to multicast in the opposite direction cannot do so.

In the firewall logs at the main office, we are seeing the following:

And the traffic is not traversing the VPN as it should to the remote location.

I have static routes set up for the multicast traffic on both sides properly.

We are not seeing this denied messages on the remote firewall.

This thread was automatically locked due to age.

Top Replies

Sreenivasulu Naidu 6 months ago in reply to Randy Cleveland +2 suggested

This is what I think, may be I am wrong: Multicast traffic is not symmetric unlike unicast; Multicast will have one source sending traffic to a group and multiple receives gets traffic; try repeating the…

0 Vivek Jagad 6 months ago

Hi Randy Cleveland ,

Thank you for reaching out to the community, can you share the Packet capture, for the multicast traffic when the traffic initiated from both the sites ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Randy Cleveland 6 months ago in reply to Vivek Jagad

From the Main firewall:

From the remote firewall:

The host on the remote end can see the host at the main site, but the host here at our main site cannot see the remote host.

We are working with an IP based PA system trying to get the two nodes to see each other.
Cancel
Vote Up 0 Vote Down

Cancel
0 Randy Cleveland 6 months ago in reply to Vivek Jagad

I guess a better question is: Is bi-directional multicast forwarding even possible with the XGS series of firewalls? From looking at these packet captures more, communication seems to be happening, but not completely in both directions.
Cancel
Vote Up 0 Vote Down

Cancel
0 Srisakthi S 6 months ago in reply to Randy Cleveland

Hi Randy Cleveland

Can you verify if there is any conflicting parameters in the firewall rule for this VPN connection based on the incoming packet capture? Also check the sequence of the NAT rules present. Please attach the NAT rule page screenshot.
Cancel
Vote Up 0 Vote Down

Cancel
0 Randy Cleveland 6 months ago in reply to Srisakthi S

The VPN rules are standard, and still working normally as the VPN is up and running. The instructions I followed to enable the Multicast forwarding didn't say anything about adjusting vpn rules, nor did it mention NAT.

The only NAT rule we have is the standard Nat for inside clients to access the web/outside addresses on both sides.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sreenivasulu Naidu 6 months ago in reply to Randy Cleveland

This is what I think, may be I am wrong: Multicast traffic is not symmetric unlike unicast; Multicast will have one source sending traffic to a group and multiple receives gets traffic; try repeating the same config in the reverse direction also - like injecting traffic sent on to group address via the IPSec tunnel on XG2 and on XG1 source interface as IPsec tunnel and destination as LAN port.
Cancel
Vote Up +2 Vote Down

Cancel
0 Randy Cleveland 6 months ago in reply to Sreenivasulu Naidu

I did have multicast routes on both ends to accommodate for the multicast traffic in both directions, but that did not seem to help.

For example, the two systems I need to have bidirectional communication between them are 192.168.1.196 (Main site) and 192.168.38.99 (Remote site)

The Multicast routes were as follows:

Main:

Source IP         Multicast IP    Source Interface Destination Interface

192.168.1.196   233.1.1.5        Port 1                   IPSec Connection

192.168.38.99 239.1.1.5        RemoteIPSec      Port 1

Remote

192.168.1.196 239.1.1.5      MainIPSec               Port 1

192.168.38.99 239.1.1.5       Port 1                      IPSec Connection
Cancel
Vote Up 0 Vote Down

Cancel
0 Randy Cleveland 6 months ago in reply to Sreenivasulu Naidu

So, I may have identified the problem...

In the instructions I used to set up Multicast Forwarding via the Site-to-Site VPN, in the actual VPN setup, it had the multicast network in one direction only on each end Remote for HQ, and Local for the remote site.

When I went to add them in the reverse direction, I get a warning below the Local network settings saying to "Consider using tunnel interface" as shown below:

This view is of the remote firewall. Will this cause an issue with the Site-to-Site connection if I apply this?
Cancel
Vote Up 0 Vote Down

Cancel
0 Randy Cleveland 6 months ago in reply to Randy Cleveland

And I would say that is the issue, and the configuration can't be saved this way. I get the following when trying to apply it to the remote firewall:

So bi-directional Multicast is not possible with Site-to-Site connections?
Cancel
Vote Up 0 Vote Down

Cancel