This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
trsantos
Contributor
‎2024-07-15 04:36 PM
Jump to solution

Multicast stop to work after 60 seconds then work again without action.

Hi Guys,

We're having a very odd situation here, we have Multicast working fine with Cisco ASA having an Cisco 6509 as a RP, and we're migrating this ASA to SG6200 running R81.20. We migrated one VLAN and can see Multicast working fine, except for the fact that the multicast stream is stop to work (like freezing for around 10 seconds) every 60 seconds. So we have it working for 1 minute, then we can't receive the multicast traffic on the end host for 10 seconds, then back to work again automagically. I've tried to play around with the Multicast timers, no lucky. At this point we have the timer in their default values. The only configuration we have for Multicast is setting the RP static, using PIM Sparse Mode.

I saw many HF to be applied for the old versions but as we running R81.20 there is no HF for this version. Anyone had experienced this issue?


We assume the all Multicast configuration is working fine as the multicast is working and we have all firewall rules in place, all multicast traffic is being allowed and we can't see anything being blocked. When we test the same machine in a VLAN behind ASA, we don't experience this behavior, the stream keep running smoothly.

Any idea?

multicast.png

multicast2.png

multicast3.png

Labels
0 Kudos
1 Solution

Accepted Solutions
trsantos
Contributor
‎2024-07-25 10:06 PM
Jump to solution

We were seeing this behaviour in a controlled part of the network and after moving all VLANs to Checkpoint we didn't see this issue anymore, so no actions were taken. Thks for the help guys!

View solution in original post

0 Kudos
13 Replies
Chris_Atkinson
Employee Employee
Employee
‎2024-07-15 05:02 PM
Jump to solution

What does your policy look like for allowing this traffic?

Further troubleshooting & diagnosis with TAC might be necessary.

Note for information there are additional multicast fixes in JHF T70, refer:

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Take_70.htm?tocpath=_____6

 

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2024-07-15 05:08 PM
Jump to solution

Not sure latest jumbo would help here, but you can certainly give it a go. Just curious, when did this start happening? Do you see any logs in smart console for 224.0.0.x?

Andy

0 Kudos
trsantos
Contributor
‎2024-07-15 05:15 PM
In response to the_rock
Jump to solution

We've set up this environment in LAB and we didn't see this issue, now we're moving to production, the first VLAN we migrated we realised that this issue was happening...can't see anything being blocked on logs, 

multicast4.png

 

0 Kudos
the_rock
Legend
Legend
‎2024-07-15 05:41 PM
In response to trsantos
Jump to solution

Do fw monitor and see if you notice anything unusual

fw monitor -F "srcip,srcport,dstip,dstport,protocol" and so on

so say src is 1.1.1.1, dst is 2.2.2.2and port is 4434

fw monitor -F "1.1.1.1,0,2.2.2.2,4434,0" -F "2.2.2.2,0,1.1.1.1,4434,0"

Andy

0 Kudos
trsantos
Contributor
‎2024-07-16 04:16 PM
In response to the_rock
Jump to solution

I have limited access to the environment, as soon as I can run the command I post it here

0 Kudos
the_rock
Legend
Legend
‎2024-07-16 04:40 PM
In response to trsantos
Jump to solution

Dawned on me, as I remember one of my colleagues always talking about it...maybe IGMP snooping setting?

Andy

https://community.meraki.com/t5/Switching/Multicast-Basic-s/m-p/25867/highlight/true#M2125

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-07-17 09:14 AM
In response to the_rock
Jump to solution

Yep still think it is something in his switch architecture doing it which is why I brought up STP in my earlier post.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
Legend
Legend
‎2024-07-17 09:21 AM
In response to Timothy_Hall
Jump to solution

Agree...spanning tree can definitely be an issue, for sure.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-07-15 07:16 PM
Jump to solution

Hmm, the 10 second outage sounds suspiciously like STP port blocking in Listen+Learn mode as the result of a perceived bridging loop at the switch level, or some kind of storm control.  I assume as part of the the migration to Check Point you are plugging into a different switch?  Do you have portfast set on these new ports and do you have any kind of storm control set on the new switch?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
trsantos
Contributor
‎2024-07-16 04:18 PM
In response to Timothy_Hall
Jump to solution

Everything is working fine, the switchports are up and we don't see any up/downs, just the multicast stream stops, everything keeps working so we discarded any STP problem.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-07-15 10:16 PM
Jump to solution

Is migrated VLAN configured on bond, or single physical interface ?

Kind regards,
Jozko Mrkvicka
trsantos
Contributor
‎2024-07-16 04:19 PM
In response to JozkoMrkvicka
Jump to solution

It's a single interface, but for this issue seems to be something in higher layers as everything else is working fine except the multicast stream stopping for few seconds.

trsantos
Contributor
‎2024-07-25 10:06 PM
Jump to solution

We were seeing this behaviour in a controlled part of the network and after moving all VLANs to Checkpoint we didn't see this issue anymore, so no actions were taken. Thks for the help guys!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events