This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Question About Multicast Not Receiving, IP Flood (URGENT ACTION REQUIRED)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Question About Multicast Not Receiving, IP Flood (URGENT ACTION REQUIRED)

Sethupathi
L3 Networker

‎06-17-2019 04:12 AM

Hi Team,

 

we have done multicast configuration and we are unable to receive multicast through firewall PA-3060. Also whenever we did add our LAN interface into multicast configuration “ other IP flood” critical threat gets started into that particular LAN as shown below. Kindly help me to resolved the same.

 

Scenario as below,

1st network diagram.png

  1. Requirement as per diagram: PA-3060 WAN interface should receive multicast traffic via ae1.3013 interface and should forward the same to LAN subnet i.e.ae2.3 interface

As per above scenario which interface should I add the RP typeae1.3013 or ae2.3 ..??

 

  1. We have done following configuration.

2nd.png3rd.png4th.png5th.png

 

  1. Whenever we did configure ae2.3 in multicast configuration other IP flood started in OFT-LAN subnet and dataplane CPU spike up.

6th.png7th.png8th.png

 

Should I increes the SYN alarm rate or disable the SYN in zone protection here? (IS THAT CORRECT?)

NOTE: we have PA-3060 modal with PAN-OS 8.0.16

 

Could you please provide your valuable suggestion here to fix an issue.

 

Regards,

Sethupathi M

0 Likes Likes
4 REPLIES 4

Sethupathi
L3 Networker

‎06-17-2019 06:52 AM

Hi Team,

 

Can anyone provide your valuable suggestion here please.

 

Regards,

Sethupathi M

0 Likes Likes

Sethupathi
L3 Networker
In response to Sethupathi

‎06-18-2019 04:11 AM

Hi Team,

 

Can anyone help us here, The DOS Protection  profile is configured form WAN Zone to LAN Zone, And Zone protection profile is configured for LAN Zone. Is that a cause its getting an Other IP Flood.

 

Regards,

Sethupathi M

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to Sethupathi

‎06-18-2019 07:35 AM

Hello,

Try disabling the Zone protection profile and see if that helps, since its on the internal zone (its usually on the external but internal is not wrong either).

 

If it helps then its the zone protection profile causing the issue and you just need to make adjustments there.

 

Regards,

0 Likes Likes

Sethupathi
L3 Networker
In response to OtakarKlier

‎06-20-2019 12:11 AM

Hi Otakar,

 

When we enabled our LAN interface to be part of multicasting  other IP flood threats get started and same is drops in zone protection in critical category and which also spike up my data plane CPU by 10 %

 

Also we removed zone protection from LAN zone and enabled multicast , then our firewall goes on toss i.e. it disturb my CPU as well as other protocol like BGP.

 

In customer environment they have configured Dos policy from WAN to LAN zone, and also Zone protection profile for LAN zone as well as WAN zone ..?? (Is this a recomended way for using both Dos and Zone protection profile ?)

 

Regards,

Sethupathi M

0 Likes Likes
  • 4083 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks