11-21-2019 02:16 AM
Hi Team,
I have a multicast setup. I am able to see that the PIM neighbourship is completed and igmp membership also fine.
I can see my traffic in multicast fib with the correct incoming and outgoing interfaces. but the multicast packet is not reaching receiver, I can see a lot of packet drop in counter with detail "packet dropped no route for ip multicast". Any idea what will be the reason for this.
Thanks in advance.
11-24-2019 01:32 AM
Have you created a security policy to actually allow the traffic with the multicast group address? I believe that only when that's done you'll actually stop that counter from incrementing.
01-08-2020 03:54 AM
Hi,
I am seeing this too. I have a pair of Linux boxes which generate multicast on 233.12.12.1 through 233.12.12.5. This is fed into the Palo Alto which hosts a RP with SPT threshold set to "never". A downstream Cisco ASA has Static Joins set up and exchanges PIM with the Palo Alto. This all seems fine - all five stream joins end up in the routing table.
admin@LHIRISMGTFWL01(active)> show routing multicast route
VIRTUAL ROUTER: mcast
flags: L - source is local
number of mfib entries shown: 13
group source flags incoming outgoing
----- ------ ----- -------- --------
233.12.12.1 0.0.0.0 PIM Register tunnel ae6.950
233.12.12.1 10.123.95.116 ae1.350 ae6.950
PIM Register tunnel
233.12.12.1 10.123.95.117 ae1.350 ae6.950
PIM Register tunnel
233.12.12.2 0.0.0.0 PIM Register tunnel ae6.950
233.12.12.2 10.123.95.116 ae1.350 ae6.950
PIM Register tunnel
233.12.12.2 10.123.95.117 ae1.350 ae6.950
PIM Register tunnel
233.12.12.3 0.0.0.0 PIM Register tunnel ae6.950
233.12.12.3 10.123.95.116 ae1.350 ae6.950
PIM Register tunnel
233.12.12.3 10.123.95.117 ae1.350 ae6.950
PIM Register tunnel
233.12.12.4 0.0.0.0 PIM Register tunnel ae6.950
233.12.12.4 10.123.95.116 ae1.350 ae6.950
PIM Register tunnel
233.12.12.4 10.123.95.117 ae1.350 ae6.950
PIM Register tunnel
233.12.12.5 0.0.0.0 PIM Register tunnel ae6.950
However the Palo Alto is dropping all traffic in the fifth stream (233.12.12.5) with this counter incrementing:
flow_fwd_l3_mcast_drop 32 3 drop flow forward Packets dropped: no route for IP multicast
The security policy allows source from the Linux servers (any zone) and destination "multicast" and the Address of 233.12.12.0/29 which covers the group (any/any/any otherwise).
I can not work out why just this specific stream is being dropped. I have seen it working before.
01-08-2020 03:58 AM
hi @whiskerp ,
Can you check the RP address for the 5th flow and check whether you have a route in the firewall into the RP pointing to a PIM neighbor.
01-08-2020 04:00 AM - edited 01-08-2020 04:03 AM
Hi, Sorry is there a specific command you'd like me to run? The RP is defined for groups 233.12.12.0/29 (and is hosted on this Palo Alto).
Both the source of the multicast and the Cisco ASA are locally connected (ie on Palo Alto interfaces)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
