Multicast Forwarding issues

Hi Randy Cleveland ,

Thank you for reaching out to the community, can you share the Packet capture, for the multicast traffic when the traffic initiated from both the sites ?

I guess a better question is: Is bi-directional multicast forwarding even possible with the XGS series of firewalls?  From looking at these packet captures more, communication seems to be happening, but not completely in both directions.

Hi Randy Cleveland 

Can you verify if there is any conflicting parameters in the firewall rule for this VPN connection based on the incoming packet capture? Also check the sequence of the NAT rules present. Please attach the NAT rule page screenshot.

The VPN rules are standard, and still working normally as the VPN is up and running.  The instructions I followed to enable the Multicast forwarding didn't say anything about adjusting vpn rules, nor did it mention NAT.  

The only NAT rule we have is the standard Nat for inside clients to access the web/outside addresses on both sides.

The VPN rules are standard, and still working normally as the VPN is up and running.  The instructions I followed to enable the Multicast forwarding didn't say anything about adjusting vpn rules, nor did it mention NAT.  

The only NAT rule we have is the standard Nat for inside clients to access the web/outside addresses on both sides.

This is what I think, may be I am wrong: Multicast traffic is not symmetric unlike unicast; Multicast will have one source sending traffic to a group and multiple receives gets traffic; try repeating the same config in the reverse direction also - like injecting traffic sent on to group address via the IPSec tunnel on XG2 and on XG1 source interface as IPsec tunnel and destination as LAN port.

I did have multicast routes on both ends to accommodate for the multicast traffic in both directions, but that did not seem to help.

For example, the two systems I need to have bidirectional communication between them are 192.168.1.196 (Main site) and 192.168.38.99 (Remote site)

The Multicast routes were as follows:

Main:

Source  IP         Multicast IP    Source Interface  Destination Interface

192.168.1.196   233.1.1.5        Port 1                   IPSec Connection

192.168.38.99  239.1.1.5        RemoteIPSec      Port 1

Remote

192.168.1.196  239.1.1.5      MainIPSec               Port 1

192.168.38.99  239.1.1.5       Port 1                      IPSec Connection

So, I may have identified the problem...

In the instructions I used to set up Multicast Forwarding via the Site-to-Site VPN, in the actual VPN setup, it had the multicast network in one direction only on each end Remote for HQ, and Local for the remote site.

When I went to add them in the reverse direction, I get a warning below the Local network settings saying to "Consider using tunnel interface" as shown below:

This view is of the remote firewall.  Will this cause an issue with the Site-to-Site connection if I apply this?

And I would say that is the issue, and the configuration can't be saved this way.  I get the following when trying to apply it to the remote firewall:

So bi-directional Multicast is not possible with Site-to-Site connections?