Question About Multicast Not Receiving, IP Flood (URGENT ACTION REQUIRED)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Question About Multicast Not Receiving, IP Flood (URGENT ACTION REQUIRED)

L3 Networker

Hi Team,

 

we have done multicast configuration and we are unable to receive multicast through firewall PA-3060. Also whenever we did add our LAN interface into multicast configuration “ other IP flood” critical threat gets started into that particular LAN as shown below. Kindly help me to resolved the same.

 

Scenario as below,

1st network diagram.png

  1. Requirement as per diagram: PA-3060 WAN interface should receive multicast traffic via ae1.3013 interface and should forward the same to LAN subnet i.e.ae2.3 interface

As per above scenario which interface should I add the RP typeae1.3013 or ae2.3 ..??

 

  1. We have done following configuration.

2nd.png3rd.png4th.png5th.png

 

  1. Whenever we did configure ae2.3 in multicast configuration other IP flood started in OFT-LAN subnet and dataplane CPU spike up.

6th.png7th.png8th.png

 

Should I increes the SYN alarm rate or disable the SYN in zone protection here? (IS THAT CORRECT?)

NOTE: we have PA-3060 modal with PAN-OS 8.0.16

 

Could you please provide your valuable suggestion here to fix an issue.

 

Regards,

Sethupathi M

4 REPLIES 4

L3 Networker

Hi Team,

 

Can anyone provide your valuable suggestion here please.

 

Regards,

Sethupathi M

Hi Team,

 

Can anyone help us here, The DOS Protection  profile is configured form WAN Zone to LAN Zone, And Zone protection profile is configured for LAN Zone. Is that a cause its getting an Other IP Flood.

 

Regards,

Sethupathi M

Hello,

Try disabling the Zone protection profile and see if that helps, since its on the internal zone (its usually on the external but internal is not wrong either).

 

If it helps then its the zone protection profile causing the issue and you just need to make adjustments there.

 

Regards,

Hi Otakar,

 

When we enabled our LAN interface to be part of multicasting  other IP flood threats get started and same is drops in zone protection in critical category and which also spike up my data plane CPU by 10 %

 

Also we removed zone protection from LAN zone and enabled multicast , then our firewall goes on toss i.e. it disturb my CPU as well as other protocol like BGP.

 

In customer environment they have configured Dos policy from WAN to LAN zone, and also Zone protection profile for LAN zone as well as WAN zone ..?? (Is this a recomended way for using both Dos and Zone protection profile ?)

 

Regards,

Sethupathi M

  • 4084 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!