Multicast traffic getting dropped when firewall's PIM neighbor is VRRP/HSRP router due to RPF checks

Multicast traffic is getting dropped on firewall when firewall's PIM neighbor is VRRP/HSRP router due to RPF checks.
 

For multicast to work, it is required that the RPF neighbor should also be a PIM neighbor. This is done during Rendezvous Point Tree formation or Shortest-Path Tree formation. RPF checks are performed using multicast Route table which in turn uses routes from Unicast IPv4 table.

Read more about Reverse Path Forwarding 

In case the PIM neighbor is a pair of VRRP/HSRP routers, it is common that the IPv4 routing table will have a route with next-hop as VRRP/HSRP's Virtual Address (VIP).
However for forming PIM neighborship, those VRRP/HSRP routers will use local interface IPs and not virtual IPs.

For example look at the below topology:



In the above topology, in firewall you will configure route for 20.1.1.0/24 subnet with next hop as HSRP IP 10.1.1.4, however PIM neighborship will be with 10.1.1.2 and 10.1.1.3.

Because of this when firewall verifies RPF check again PIM neighbors it fails, because the PIM neighbors are the VRRP/HSRP routers' local IP addresses while the route is pointing to Virtual IP.


 

In order to resolve, this from PanOS 8.0, it is possible to configure separate routing entry in Multicast Routing Table pointing to individual IP addresses instead of VIP.

Steps:

1. Go to Network -> Virtual Router -> <Virtual Router Name> -> Static Routes
2. Configure route for required destination with next-hop as both of VRRP/HSRP neighbors local IP addresses and Route Table as "Multicast"

Example: