Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Multicast traffic flow failure

0

0

Article ID: KB23057 KB Last Updated: 30 Apr 2012Version: 1.0
Summary:
This article describes the issue of multicast traffic flow failure, when the route to the RP is learned through BGP over IPSec VPN; even though the configuration is good.
Symptoms:
Network diagram:
192.168.2.2 (Sender) -----192.168.2.1(RP)(trust) (eth0/1)FW-2(eth0/0--1.1.1.2)—tun.1------tun.1--(1.1.1.1--eth0/0)FW-1(eth0/1)--192.168.1.1-----192.168.1.2(Receiver)

The BGP is configured between the loopback interfaces on both of the firewalls.
BGP
   ------------------------------------------------
   |                                              |
FW-2(loopback.1---10.10.10.2) --- (10.10.10.1---loopback.1)FW-1

  • The route to the RP 192.168.2.1 is learnt by FW1 via BGP over IPSec VPN.

  • The tunnel interfaces on both of the firewalls are un-numbered and bound to the eth0/0 Untrust interfaces. PIM is enabled on the tunnel interfaces.

  • The rest of the multicast configuration will be normal.

  • In this case, the multicast traffic flow will fail.
Cause:

Solution:
In the above mentioned scenario, the next hop for the RP in FW1, which is learnt through BGP, will be the loopback.1 IP, which is 10.10.10.2.
Routing Table
---------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route

Total 9/max entries

ID IP-Prefix Interface Gateway P Pref Mtr Vsys
---------------------------------------------------------
* 6 1.1.1.1/32 eth0/0 0.0.0.0 H 0 0 Root
* 22 10.10.10.2/32 tun.1 0.0.0.0 S 20 1 Root
* 10 10.10.10.1/32 loopback.1 0.0.0.0 C 0 0 Root
* 8 192.168.1.1/32 eth0/1 0.0.0.0 H 0 0 Root
* 23 192.168.2.0/24 tun.1 10.10.10.2 iB 250 0 Root
* 7 192.168.1.0/24 eth0/1 0.0.0.0 C 0 0 Root
* 5 1.1.1.0/24 eth0/0 0.0.0.0 C 0 0 Root


The PIM neighbor IP in FW1 will be the tun.1 interface IP, which is 1.1.1.2.
get vrouter protocol pim

PIM-SM enabled
Number of interfaces : 3
SPT threshold : 1 Bps
PIM-SM Pending Register Entries Count : 0
Multicast group accept policy list: 1

Virtual Router trust-vr - PIM RP policy
--------------------------------------------------

Group Address RP access-list

Virtual Router trust-vr - PIM source policy
--------------------------------------------------

Group Address Source access-list
Interface Address Neighbors DR Enabled Link
--------------------------------------------------
ethernet0/1 192.168.1.1 0 self Yes Up
loopback.1 10.10.10.1 0 self Yes Up
tunnel.1 0.0.0.0 1 1.1.1.2 Yes Up
Neighbor Interface Uptime Expire DR-priority GenId
---------------------------------------------------
1.1.1.2 tunnel.1 00:01:53 00:01:44 1 57959
Flags : I - Imported, A - Always(override BSR mapping)
C - Static Config, P - Static Proxy
Zone Group/mask RP-Address Prio Hold Expire Flags
-----------------------------------------------------------------------------
Trust 239.1.1.1/32 192.168.2.1 192 Static - AIC Untrust

Untrust 239.1.1.1/32 192.168.2.1 192 Static - AC
trust-vr - PIM-SM routing table
-----------------------------------------------------------------------------
Register - R, Connected members - C, Pruned - P, Pending SPT Alert - G
Forward - F, Null - N , Negative Cache - E, Local Receivers - L
SPT - T, Proxy-Register - X, Imported - I, SGRpt state - Y, SSM Range Group - S
Turnaround Router - K
-----------------------------------------------------------------------------
Total PIM-SM mroutes: 1

Group Source/RP Iif RPF Nbr Flags
-----------------------------------------------------------------------------
239.1.1.1 *(RP 192.168.2.1) local LF
Downstream Interfaces: eth0/1 FC


As the next hop IP of the RP and the PIM neighbor IP are different, the traffic fails. It expects both of them to be same.

To resolve this issue, bind the tunnel interfaces on both of the firewalls to loopback the loopback.1 interface. Enable PIM on the tunnel interfaces. In this scenario, the next hop IP of the RP and the PIM neighbor IP will be same; which resolves the issue.
Routing Table
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route

Total 9/max entries

ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 6 1.1.1.1/32 eth0/0 0.0.0.0 H 0 0 Root
* 11 10.10.10.2/32 tun.1 0.0.0.0 S 20 1 Root
* 10 10.10.10.1/32 loopback.1 0.0.0.0 C 0 0 Root
* 8 192.168.1.1/32 eth0/1 0.0.0.0 H 0 0 Root
* 14 192.168.2.0/24 tun.1 10.10.10.2 iB 250 0 Root
* 7 192.168.1.0/24 eth0/1 0.0.0.0 C 0 0 Root
* 5 1.1.1.0/24 eth0/0 0.0.0.0 C 0 0 Root


get vrouter protocol pim

PIM-SM enabled
Number of interfaces : 2
SPT threshold : 1 Bps
PIM-SM Pending Register Entries Count : 0
Multicast group accept policy list: 1

Virtual Router trust-vr - PIM RP policy
--------------------------------------------------

Group Address RP access-list

Virtual Router trust-vr - PIM source policy
--------------------------------------------------

Group Address Source access-list
Interface Address Neighbors DR Enabled Link
-----------------------------------------------------------------------------
ethernet0/1 192.168.1.1 0 self Yes Up
tunnel.1 0.0.0.0 1 10.10.10.2 Yes Up
Neighbor Interface Uptime Expire DR-priority GenId
-----------------------------------------------------------------------------
10.10.10.2 tunnel.1 00:05:08 00:01:33 1 61391
Flags : I - Imported, A - Always(override BSR mapping)
C - Static Config, P - Static Proxy
Zone Group/mask RP-Address Prio Hold Expire Flags
-----------------------------------------------------------------------------
Trust 239.1.1.1/32 192.168.2.1 192 Static - AIC Untrust

Untrust 239.1.1.1/32 192.168.2.1 192 Static - AC
trust-vr - PIM-SM routing table
-----------------------------------------------------------------------------
Register - R, Connected members - C, Pruned - P, Pending SPT Alert - G
Forward - F, Null - N , Negative Cache - E, Local Receivers - L
SPT - T, Proxy-Register - X, Imported - I, SGRpt state - Y, SSM Range Group - S
Turnaround Router - K
-----------------------------------------------------------------------------
Total PIM-SM mroutes: 2

Group Source/RP Iif RPF Nbr Flags
-----------------------------------------------------------------------------
239.1.1.1 *(RP 192.168.2.1) tun.1 10.10.10.2 LF
Downstream Interfaces: eth0/1 FC

239.1.1.1 192.168.2.2 tun.1 10.10.10.2 TLF
Downstream Interfaces: eth0/1 FC


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search