Home > Checkpoint, Cisco, LAN, Palo Alto, VMWare > Multicast on Checkpoint R76 Gaia + Palo Alto and Cisco

Multicast on Checkpoint R76 Gaia + Palo Alto and Cisco

Just finished troubleshooting of multicast issues (no traffic received at all) with a subscriber sitting on a DMZ behind Checkpoint Gaia R76 and source being a couple of hops away behind another firewall – a Palo Alto box. Both firewalls were sitting on top of L2 Cisco kit (Catalysts & Nexuses)

Long story short here are few things to take away from the exercise:

  • IPS on that stupid Checkpoint even being globally disabled on the firewall is blocking PIM traffic (hello packets) and thus neighbour relationships do not form on PIM. Solution: enable IPS, find the rule blocking PIM, disable it, disable IPS. LOL!!!
  • When you enable IGMP on Gaia boxes which are part of HA group (in this case it was VRRP; ClusterXL might be different) declare your multicast group as local and specify VRRP VIP, not the IP of the box itself;
  • Enable PIM not only on the interface facing PIM next hop but also  on the interface facing the subscriber (alongside with IGMP) otherwise it looks like Cisco kit is not aware where to send IGMP Joins (which are destined to 224.0.0.22) puts them into a sink hole;
  • Pay attention to the IGMP version that you enable on Checkpoint interfaces facing the client. Do a packet capture to double-check. In my case the subscriber was sending v.3 despite the rest of the setup configured for ASM.

As a bonus here is a couple of commands useful on Palo Alto box for some light multicast troubleshooting:

 show routing multicast pim neighbour – to see your neighbours

show routing multicast pim statistics – to see your hello packets (both received and sent)

show routing multicast pim state – to see PIM state for your groups

(sorry, omitting Checkpoint stuff as it’s too much writing and I do not really like them – notes above should be sufficient to make it work anyway)

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: