Description
This article describes the reasons behind multicast packets being unable to traverse the FortiGate unit, despite the presence of a static route configured to utilize a VRRP, HSRP, or GLBP address for reaching a PIM sparse-mode RP.
Scope
FortiGate.
Solution
Sample Network Topology:
- The FortiGate unit in the above topology forms a PIM-SM neighbor relationship with ROUTER2 and ROUTER3.
- The multicast receiver initiates an IGMP JOIN request expressing its desire to receive a stream destined to multicast group 239.121.1.1. The following output demonstrates that FortiGate has successfully processed the IGMP JOIN request and has recorded the receiver's subscription to the stream.
FGT # get router info multicast igmp groups 239.121.1.1
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
239.121.1.1 port1 00:00:22 00:04:04 172.31.18.167
- Multicast Rendezvous point (RP) is configured on ROUTER1 and is reachable from the FortiGate unit.
FGT # get router info multicast pim sparse-mode rp-mapping
PIM Group-to-RP Mappings
Group(s): 224.0.0.0/4, Static
RP: 10.10.10.10
Uptime: 01:30:38
FGT # exec ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10): 56 data bytes
64 bytes from 10.10.10.10: icmp_seq=0 ttl=254 time=0.3 ms
64 bytes from 10.10.10.10: icmp_seq=1 ttl=254 time=0.5 ms
64 bytes from 10.10.10.10: icmp_seq=2 ttl=254 time=0.5 ms
64 bytes from 10.10.10.10: icmp_seq=3 ttl=254 time=0.4 ms
64 bytes from 10.10.10.10: icmp_seq=4 ttl=254 time=0.5 ms
--- 10.10.10.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.4/0.5 ms
-
The Multicast routing table on FortiGate displays only one entry for Multicast Group 239.121.1.1. This entry is created by the IGMP join messages received on the port1 network interface of FortiGate facing the receiver.
FGT # get router info multicast pim sparse-mode table 239.121.1.1
IP Multicast Routing Table
(*,*,RP) Entries: 0
(*,G) Entries: 3
(S,G) Entries: 0
(S,G,rpt) Entries: 0
FCR Entries: 0
(*, 239.121.1.1)
RP: 10.10.10.10
RPF nbr: 0.0.0.0
RPF idx: None
Upstream State: JOINED
Local:
port1
Joined:
Asserted:
FCR:The absence of an (S, G) entry indicates that no multicast stream has been received at the FortiGate. This is attributed to FortiGate's failure to forward the IGMP JOIN(*, G) message to the RP.
-
PIM debugs indicate that the FortiGate is not generating a PIM Join towards the RP due to 'No RPF neighbor for (*, 239.121.1.1)'.
FGT # diagnose ip router pim-sm level info
Debug messages will be on for 30 minutes.
FGT # diagnose ip router pim-sm all enable
Debug messages will be on for 30 minutes.
FGT # diagnose debug console timestamp enable
FGT # diagnose debug enable
id=0 msg="PIM-SM: IGMP message for 239.121.1.1 on port1 received filter mode EXCL, num sources 0"
id=0 msg="PIM-SM: Recv (*, 239.121.1.1) Include on port1"
id=0 msg="PIM-SM: Apply (*, 239.121.1.1) Include on port1"
id=0 msg="PIM-SM: Group 239.121.1.1 SPT threshold set"
id=0 msg="PIM-SM: Nexthop 10.10.10.10: Increment refcnt 3"
id=0 msg="PIM-SM: JoinDesired(*,G) => TRUE event for (*, 239.121.1.1)"
id=0 msg="PIM-SM: MRIB.next_hop_rp(10.10.10.10): nexthop 10.120.3.254"
id=0 msg="PIM-SM: US (*,G): No RPF neighbor for (*, 239.121.1.1)" <-------- RPF failure
id=0 msg="PIM-SM: US (*, 239.121.1.1): NOT JOINED to JOINED, JoinDesired(*,G) => TRUE "RPF check fails because the next hop to reach the RP is 10.120.3.254, which is not a PIM neighbor. 10.120.3.254 is a VRRP Virtual IP address.
-
The next-hop for the FortiGate to reach RP according to the routing table is 10.120.3.254 (VRRP Virtual IP Address).
FGT # get router info multicast pim sparse-mode next-hop
Flags: N = New, R = RP, S = Source, U = Unreachable
Destination Type Nexthop Nexthop Nexthop Nexthop Metric Pref Refcnt
Num Addr Ifindex Name
____________________________________________________________________________________
10.10.10.10 .R.. 1 10.120.3.254 5 0 10 3Firewalls and routers that are not VRRP-aware typically anticipate a PIM neighbor as the next hop to reach the RP, rather than the VRRP virtual IP address.
-
In the current network topology, FortiGate recognized 10.120.3.15 (ROUTER2) and 10.120.0.192 (ROUTER3) as PIM neighbors and not 10.120.3.254.
FGT # get router info multicast pim sparse-mode neighbour
Neighbor Interface Uptime/Expires Ver DR
Address Priority/Mode
10.120.0.192 port4 01:00:29/00:01:16 v2 1 /
10.120.3.15 port4 00:27:01/00:01:18 v2 255 / DR
When PIM-SM is set up with routes to the RP directed to the VRRP virtual IP address, it can result in RPF check failures.
To address this issue, configure VRRP-aware PIM on FortiGate as below.
FGT # config router multicast
FGT # config interface
edit <interface name> --------> PIM-SM enabled interface.
set rpf-nbr-fail-back enable
set rpf-nbr-fail-back-filter <access-list>
end
end
'rpf-nbr-fail-back' is used to enable or disable this feature. When this feature is enabled, in the event of an RPF check failure, the system will select the neighbor with the highest DR selection priority. The 'rpf-nbr-fail-back-filter' is employed to manage the eligibility of neighbors for the fail-back selection process.
Workaround:
Configure a more specific route pointing to the RP address, using the physical interface addresses as the next hop instead of the VRRP Virtual IP Address. This can be achieved with either a static route or a dynamically learned route.
FGT # show router static
config router static
edit 1
set device "port4"
set gateway 10.120.3.254
set priority 10
next
edit 2
set device "port4"
set distance 5
set dst 10.10.10.10 255.255.255.255
set gateway 10.120.3.15
set priority 10
next
edit 3
set device "port4"
set distance 5
set dst 10.10.10.10 255.255.255.255
set gateway 10.120.0.192
set priority 15
next
end
FGT # get router info routing all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 10.120.3.254, port4, [10/0]
S 10.10.10.10/32 [5/0] via 10.120.3.15, port4, [10/0]
[5/0] via 10.120.0.192, port4, [15/0]
C 10.120.0.0/22 is directly connected, port4
C 172.31.16.0/22 is directly connected, port1
Verification:
FortiGate now forwards the PIM JOIN and receives the Stream from Multicast Source.
FGT # get router info multicast pim sparse-mode table 239.121.1.1
IP Multicast Routing Table
(*,*,RP) Entries: 0
(*,G) Entries: 3
(S,G) Entries: 1
(S,G,rpt) Entries: 1
FCR Entries: 1
(*, 239.121.1.1)
RP: 10.10.10.10
RPF nbr: 10.120.3.15
RPF idx: port4
Upstream State: JOINED
Local:
port1
Joined:
Asserted:
FCR:
Source: 10.121.0.21
Outgoing:
port1
KAT timer running, 179 seconds remaining
Packet count 1
(10.121.0.21, 239.121.1.1)
RPF nbr: 0.0.0.0
RPF idx: None
SPT bit: 0
Upstream State: JOINED
Local:
Joined:
Asserted:
Outgoing:
port1
(10.121.0.21, 239.121.1.1, rpt)
RP: 10.10.10.10
RPF nbr: 10.120.3.15
RPF idx: port4
Upstream State: NOT PRUNED
Local:
Pruned:
Outgoing:
id=0 msg="PIM-SM: IGMP message for 239.121.1.1 on port1 received filter mode EXCL, num sources 0"
id=0 msg="PIM-SM: Recv (*, 239.121.1.1) Include on port1"
id=0 msg="PIM-SM: Apply (*, 239.121.1.1) Include on port1"
id=0 msg="PIM-SM: Group 239.121.1.1 SPT threshold set"
id=0 msg="PIM-SM: Nexthop 10.10.10.10: Increment refcnt 3"
id=0 msg="PIM-SM: JoinDesired(*,G) => TRUE event for (*, 239.121.1.1)"
id=0 msg="PIM-SM: MRIB.next_hop_rp(10.10.10.10): nexthop 10.120.3.15"
id=0 msg="PIM-SM: Send Join/Prune message"
id=0 msg="PIM-SM: Upstream: 10.120.3.15 (Family 1, Type 0)"
id=0 msg="PIM-SM: Rserved: 0"
id=0 msg="PIM-SM: Num groups: 1"
id=0 msg="PIM-SM: Holdtime: 210"
id=0 msg="PIM-SM: Multicast group: 239.121.1.1/32 (Family 1, Type 0)"
id=0 msg="PIM-SM: Number of Join: 1"
id=0 msg="PIM-SM: Number of Prune: 0"
id=0 msg="PIM-SM: Join: (*,G) 10.10.10.10/32 (Family 1, Type 0)"
id=0 msg="PIM-SM: US (*, 239.121.1.1): Starting JT timer with 60 secs timeout"
id=0 msg="PIM-SM: US (*, 239.121.1.1): NOT JOINED to JOINED, JoinDesired(*,G) => TRUE "
