Hi,

Although from a theoretical perspective, PIM would not be necessary as the firewall/router should know multicast subscibers and sources on all subnets, practical experience (on EX series devices but I would guess it applies to SRX as well) it didn't work until I enabled PIM.

Regards,

Dominik

I was under the same impression and enabled PIM now.

Occasionally there is a multicast route visible when I do a "show multicast route" but there is no traffic being forwarded anyway...

Could you post your config? Have you assigned interfaces to PIM and if yes, have you enabled dense or sparse mode? If sparse, you need to set a RP, here the firewall itself.

I'm trying to get multicast working between interface ge-4/0/0.0 and ge-6/0/0.0:

> show configuration protocols igmp
interface ge-0/0/4.0 {
    version 3;
    accounting;
}
interface ge-0/0/6.0 {
    version 3;
    accounting;
}

> show configuration protocols pim
interface ge-0/0/4.0 {
    mode dense;
}
interface ge-0/0/6.0 {
    mode dense;
}

And PIM + IGMP come up:

> show pim interfaces
Instance: PIM.master

Name               Stat Mode       IP V State NbrCnt JoinCnt(sg) JoinCnt(*g) DR address
ge-0/0/4.0         Up   Dense       4 2 DR         0           0            0 192.168.127.1
ge-0/0/6.0         Up   Dense       4 2 DR         0           1            0 192.168.121.1

IGMP even shows some group members:

> show igmp interface detail
Interface: ge-0/0/4.0
    Querier: 192.168.127.1
    State:         Up Timeout:    None Version:  3 Groups:      4
    Immediate leave: Off
    Promiscuous mode: Off
    Passive: Off
Interface: ge-0/0/6.0
    Querier: 192.168.121.1
    State:         Up Timeout:    None Version:  3 Groups:      5
    Immediate leave: Off
    Promiscuous mode: Off
    Passive: Off

Right now I'm most interested in group 239.255.255.250

> show igmp group 239.255.255.250 detail
Interface: ge-0/0/4.0, Groups: 4
    Group: 239.255.255.250
        Group mode: Exclude
        Source: 0.0.0.0
        Source timeout: 0
        Last reported by: 192.168.127.199
        Group timeout:     171 Type: Dynamic
        Output interface: ge-0/0/4.0
Interface: ge-0/0/6.0, Groups: 5
    Group: 239.255.255.250
        Group mode: Exclude
        Source: 0.0.0.0
        Source timeout: 0
        Last reported by: 192.168.121.2
        Group timeout:     197 Type: Dynamic
        Output interface: ge-0/0/6.0

192.168.127.199 & 192.168.121.2 that should communicate, but when I send a mc packet from 192.168.127.199 to 239.255.255.250 nothing leaves on ge-0/0/6.0

> show multicast statistics inet
Instance: master Family: INET
Interface: local
    Routing protocol:                Mismatch error:               0
    Mismatch:                    0   Mismatch no route:            0
    Kernel resolve:              0   Routing notify:               0
    Resolve no route:            0   Resolve error:                0
    Resolve filtered:            0   Notify filtered:              0
    In kbytes:                   0   In packets:                   0
    Out kbytes:                  0   Out packets:                  0
Interface: ge-0/0/4.0
    Routing protocol:          PIM   Mismatch error:               0
    Mismatch:                    0   Mismatch no route:            0
    Kernel resolve:              0   Routing notify:               0
    Resolve no route:            0   Resolve error:                0
    Resolve filtered:            0   Notify filtered:              0
    In kbytes:                   0   In packets:                   0
    Out kbytes:                  5   Out packets:                 19
Interface: ge-0/0/6.0
    Routing protocol:          PIM   Mismatch error:               0
    Mismatch:                    0   Mismatch no route:            0
    Kernel resolve:             18   Routing notify:               0
    Resolve no route:            0   Resolve error:                0
    Resolve filtered:            0   Notify filtered:              0
    In kbytes:                   5   In packets:                  27
    Out kbytes:                  0   Out packets:                  0

Any ideas?

Actually that

Also make sure multicast packet TTL is greater than 1.

is the problem: All my multicast packets are sent with  TTL of 1 (link local), so the SRX will just not forward them.

Unfortunately I cannot influence the applications (and their TTL for multicast) so I'm a little lost here. Is there a way (on the SRX) to either mangle the packet to have a higher TTL or route it regardless of TTL?

---

ctr wrote:

: All my multicast packets are sent with  TTL of 1 (link local), so the SRX will just not forward them.

Unfortunately I cannot influence the applications (and their TTL for multicast) so I'm a little lost here. Is there a way (on the SRX) to either mangle the packet to have a higher TTL or route it regardless of TTL?

---

TTL can be only decremented by routers, not incremented.

every module that processes a datagram must decrease the TTL by at least one

 http://www.ietf.org/rfc/rfc791.txt

If you cannot influence app behaviour, then either a transit VLAN or CCC cross-connect on SRX will _not_ decrement TTL.

IP routers _must_ decrement TTL. Period.

HTH

Rgds

Alex

have u solved the problem ?

i m trying to enable multicast in the DMZ zone of isg-2000 firewall for test purpose but until now no luck.

if the multicast traffic source like some TV channel is in the Untrust, and you would like to watch it in some machines in the DMZ, what needs to be configured in DMZ for allowing the multicast traffic.

Thanks,