Multicast Forwarding issues

We have recently set up Multicast forwarding between our main office and a remote location via a site-to-site vpn.

The Multicast forwarding is working from the remote location back to the main office, however, the system we need to multicast in the opposite direction cannot do so.

In the firewall logs at the main office, we are seeing the following:

And the traffic is not traversing the VPN as it should to the remote location.

I have static routes set up for the multicast traffic on both sides properly.

We are not seeing this denied messages on the remote firewall.

Added TAGs
[edited by: Raphael Alganes at 2:53 PM (GMT -7) on 23 Apr 2024]

Top Replies

Sreenivasulu Naidu 11 days ago in reply to Randy Cleveland +2 suggested

This is what I think, may be I am wrong: Multicast traffic is not symmetric unlike unicast; Multicast will have one source sending traffic to a group and multiple receives gets traffic; try repeating the…

Parents

0 Vivek Jagad 12 days ago

Hi Randy Cleveland ,

Thank you for reaching out to the community, can you share the Packet capture, for the multicast traffic when the traffic initiated from both the sites ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Randy Cleveland 12 days ago in reply to Vivek Jagad

I guess a better question is: Is bi-directional multicast forwarding even possible with the XGS series of firewalls? From looking at these packet captures more, communication seems to be happening, but not completely in both directions.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Srisakthi S 11 days ago in reply to Randy Cleveland

Hi Randy Cleveland

Can you verify if there is any conflicting parameters in the firewall rule for this VPN connection based on the incoming packet capture? Also check the sequence of the NAT rules present. Please attach the NAT rule page screenshot.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Randy Cleveland 11 days ago in reply to Srisakthi S

The VPN rules are standard, and still working normally as the VPN is up and running. The instructions I followed to enable the Multicast forwarding didn't say anything about adjusting vpn rules, nor did it mention NAT.

The only NAT rule we have is the standard Nat for inside clients to access the web/outside addresses on both sides.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sreenivasulu Naidu 11 days ago in reply to Randy Cleveland

This is what I think, may be I am wrong: Multicast traffic is not symmetric unlike unicast; Multicast will have one source sending traffic to a group and multiple receives gets traffic; try repeating the same config in the reverse direction also - like injecting traffic sent on to group address via the IPSec tunnel on XG2 and on XG1 source interface as IPsec tunnel and destination as LAN port.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Randy Cleveland 11 days ago in reply to Sreenivasulu Naidu

I did have multicast routes on both ends to accommodate for the multicast traffic in both directions, but that did not seem to help.

For example, the two systems I need to have bidirectional communication between them are 192.168.1.196 (Main site) and 192.168.38.99 (Remote site)

The Multicast routes were as follows:

Main:

Source IP         Multicast IP    Source Interface Destination Interface

192.168.1.196   233.1.1.5        Port 1                   IPSec Connection

192.168.38.99 239.1.1.5        RemoteIPSec      Port 1

Remote

192.168.1.196 239.1.1.5      MainIPSec               Port 1

192.168.38.99 239.1.1.5       Port 1                      IPSec Connection
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Randy Cleveland 11 days ago in reply to Sreenivasulu Naidu

I did have multicast routes on both ends to accommodate for the multicast traffic in both directions, but that did not seem to help.

For example, the two systems I need to have bidirectional communication between them are 192.168.1.196 (Main site) and 192.168.38.99 (Remote site)

The Multicast routes were as follows:

Main:

Source IP         Multicast IP    Source Interface Destination Interface

192.168.1.196   233.1.1.5        Port 1                   IPSec Connection

192.168.38.99 239.1.1.5        RemoteIPSec      Port 1

Remote

192.168.1.196 239.1.1.5      MainIPSec               Port 1

192.168.38.99 239.1.1.5       Port 1                      IPSec Connection
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data