Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Multicast traffic between two spokes is not working when a single tunnel interface on the hub device for both spokes is used

0

0

Article ID: KB21094 KB Last Updated: 22 Aug 2011Version: 1.0
Summary:
This article describes the issue of multicast traffic between two spokes not working when a single tunnel interface on the hub device for both spokes is used.
Symptoms:
Network Diagram:

                                                                                                                                      Sender(10.0.0.100)
                                                                                                                                                       |
                                                                                                                                                       |
Spoke-1(10.0.1.2)—receiver 1----Firewall(tun.1-10.10.10.1)-------Vpn-----tunnel.1----Hub----tunnel.1------vpn-----(tun.2-10.10.10.2 l)Firewall-------receiver 2------(10.0.2.2)Spoke-2

Environment:

The customer has configured hub and spoke VPN. They are using one tunnel interface for both the spokes and trying to send the mcast traffic through the same tunnel.1 interface. Multicast receivers are behind both spokes and the mcast source is behind the Hub device. The customer is not able to send mcast traffic to both of them at the same time. If traffic is sent to any spoke, it works fine. For the second spoke the packet is getting dropped due to no-way tunnel-out error.
254503.0: bgroup0:10.0.0.100/54323->11.11.11.140/5004,17<Root>
packet dropped, no way(tunnel) out
Solution:
The packet is getting dropped due to the NHTB entry not being found for the mcast route. The way which is used to configure the NHTB entry for normal traffic, cannot be used to configure multicast routes. The NHTB entry was found for both gateways. See the below output:
HUB-> get int tun.1
Interface tunnel.1:
description tunnel.1
number 20, if_info 1768, if_index 1, mode route
link ready
vsys Root, zone VPN, vr trust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 10.10.10.254/24
*manage ip 10.10.10.254
route-deny disable
bound vpn:
to_spoke2_p2
to_spoke1_p2

Next-Hop Tunnel Binding table
Flag Status Next-Hop(IP) tunnel-id VPN
U 10.10.10.2 0x00000003 to_spoke2_p2--------Nhtb up
U 10.10.10.1 0x00000005 to_spoke1_p2

pmtu-v4 disabled
ping disabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled

This is not supported on ScreenOS. Ask the customer to use different tunnel interfaces for both VPNs. The firewall will not be able to copy the same multicast packet into two tunnels, causing the packet for the second VPN to be dropped. In this scenario, the first PIM neighbor who sends PIM join messages for the multicast group, will receive the traffic and for the other the packets will be dropped.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search