Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 3472 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multicast Forwarding issues

Randy Cleveland

We have recently set up Multicast forwarding between our main office and a remote location via a site-to-site vpn.

The Multicast forwarding is working from the remote location back to the main office, however, the system we need to multicast in the opposite direction cannot do so.

In the firewall logs at the main office, we are seeing the following:

And the traffic is not traversing the VPN as it should to the remote location.

I have static routes set up for the multicast traffic on both sides properly.

We are not seeing this denied messages on the remote firewall.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  ,

    Thank you for reaching out to the community, can you share the Packet capture, for the multicast traffic when the traffic initiated from both the sites ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    I guess a better question is: Is bi-directional multicast forwarding even possible with the XGS series of firewalls?  From looking at these packet captures more, communication seems to be happening, but not completely in both directions.

  • 0 in reply to Randy Cleveland

    Hi  

    Can you verify if there is any conflicting parameters in the firewall rule for this VPN connection based on the incoming packet capture? Also check the sequence of the NAT rules present. Please attach the NAT rule page screenshot.

  • 0 in reply to Srisakthi S

    The VPN rules are standard, and still working normally as the VPN is up and running.  The instructions I followed to enable the Multicast forwarding didn't say anything about adjusting vpn rules, nor did it mention NAT.  

    The only NAT rule we have is the standard Nat for inside clients to access the web/outside addresses on both sides.

  • 0 in reply to Randy Cleveland

    This is what I think, may be I am wrong: Multicast traffic is not symmetric unlike unicast; Multicast will have one source sending traffic to a group and multiple receives gets traffic; try repeating the same config in the reverse direction also - like injecting traffic sent on to group address via the IPSec tunnel on XG2 and on XG1 source interface as IPsec tunnel and destination as LAN port.

  • 0 in reply to Sreenivasulu Naidu

    I did have multicast routes on both ends to accommodate for the multicast traffic in both directions, but that did not seem to help.

    For example, the two systems I need to have bidirectional communication between them are 192.168.1.196 (Main site) and 192.168.38.99 (Remote site)

    The Multicast routes were as follows:

    Main:

    Source  IP         Multicast IP    Source Interface  Destination Interface

    192.168.1.196   233.1.1.5        Port 1                   IPSec Connection

    192.168.38.99  239.1.1.5        RemoteIPSec      Port 1

    Remote

    192.168.1.196  239.1.1.5      MainIPSec               Port 1

    192.168.38.99  239.1.1.5       Port 1                      IPSec Connection

  • 0 in reply to Sreenivasulu Naidu

    So, I may have identified the problem...

    In the instructions I used to set up Multicast Forwarding via the Site-to-Site VPN, in the actual VPN setup, it had the multicast network in one direction only on each end Remote for HQ, and Local for the remote site.

    When I went to add them in the reverse direction, I get a warning below the Local network settings saying to "Consider using tunnel interface" as shown below:

    This view is of the remote firewall.  Will this cause an issue with the Site-to-Site connection if I apply this?

Reply
  • 0 in reply to Sreenivasulu Naidu

    So, I may have identified the problem...

    In the instructions I used to set up Multicast Forwarding via the Site-to-Site VPN, in the actual VPN setup, it had the multicast network in one direction only on each end Remote for HQ, and Local for the remote site.

    When I went to add them in the reverse direction, I get a warning below the Local network settings saying to "Consider using tunnel interface" as shown below:

    This view is of the remote firewall.  Will this cause an issue with the Site-to-Site connection if I apply this?

Children
Unfiltered HTML