Issue
A user has a 5060 and is trying to multicast from a ghost server, through the firewall to clients.Both routers are setup properly, running PIM sparse mode and a SSM group of 232.0.0.0/8, but the setup is not working.
A Cisco router is on each side of the PA-5060 as shown below:
(RP/FHR) (LHR)
[MCAST Source]--------- [CiscoR1] ---------[PA-5060]---------[CiscoR2]--------[Mcast Client]
*Multicast traffic is not forwarded from the Source to the client all though (*,G) RPT appears up and running.
*(S,G) entry is not seen in the multicast entry i.e. no SPT even though the RP/BSR and RPT(*.G) appears correct.
Resolution
The source traffic is forwarded from CiscoR1 to the PA-5060 correctly however the PA-5060 does not create a (S,G)
entry due to the Multicast traffic not matching the correct security policy.
The security policy needs to be configured with the "SourceIP" of the Mcast Source and the destination IP to the multicast address, that is, 225.70.25.9, assuming this is the Mcast group in question.
The setup is failing because the destination zone was set to the destination zone connecting to [CiscoR2].
Specifying a specific zone of the OIF (outgoing interface) does not work with multicast traffic because the destination IP is not going to be found in the route look-up. Hence, it won't match the security policy in question.
owner: jbaucom