Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Multicast Forwarding issues

We have recently set up Multicast forwarding between our main office and a remote location via a site-to-site vpn.

The Multicast forwarding is working from the remote location back to the main office, however, the system we need to multicast in the opposite direction cannot do so.

In the firewall logs at the main office, we are seeing the following:

And the traffic is not traversing the VPN as it should to the remote location.

I have static routes set up for the multicast traffic on both sides properly.

We are not seeing this denied messages on the remote firewall.

Added TAGs
[edited by: Raphael Alganes at 2:53 PM (GMT -7) on 23 Apr 2024]
Parents Reply Children
  • This is what I think, may be I am wrong: Multicast traffic is not symmetric unlike unicast; Multicast will have one source sending traffic to a group and multiple receives gets traffic; try repeating the same config in the reverse direction also - like injecting traffic sent on to group address via the IPSec tunnel on XG2 and on XG1 source interface as IPsec tunnel and destination as LAN port.

  • I did have multicast routes on both ends to accommodate for the multicast traffic in both directions, but that did not seem to help.

    For example, the two systems I need to have bidirectional communication between them are (Main site) and (Remote site)

    The Multicast routes were as follows:


    Source  IP         Multicast IP    Source Interface  Destination Interface        Port 1                   IPSec Connection        RemoteIPSec      Port 1

    Remote      MainIPSec               Port 1       Port 1                      IPSec Connection

  • So, I may have identified the problem...

    In the instructions I used to set up Multicast Forwarding via the Site-to-Site VPN, in the actual VPN setup, it had the multicast network in one direction only on each end Remote for HQ, and Local for the remote site.

    When I went to add them in the reverse direction, I get a warning below the Local network settings saying to "Consider using tunnel interface" as shown below:

    This view is of the remote firewall.  Will this cause an issue with the Site-to-Site connection if I apply this?

  • And I would say that is the issue, and the configuration can't be saved this way.  I get the following when trying to apply it to the remote firewall:

    So bi-directional Multicast is not possible with Site-to-Site connections?