I've been working on a new project for a few months and have hit a pretty big snag with multicast connections failing on start up randomly.
I have a pair of Palo Alto 5220 in active active connected to nexus 9k on the inside and 3k on the outside. All connections are point to point L3 running bgp. ECMP is enabled to allow all links to be used. The 3ks are ibgp peers. Only one device in each pair is active for multicast at a time, we disabled the default multicast multipath nexus config as it caused problems of its own.
The application will be turned on and a number of multicast connections to an RP on the outside will be established. In this first stage some random connections will fail. If it is repeated quickly after this failure then all connections will work. If left for 15 minutes, enough time for all mroutes to timeout, the connections will fail again.
The only symptom that I can find that I think is related is seeing multicast packets sourced from the inside somehow reaching the outside interface of the firewall and being denied. It looks like the traffic is leaving the firewall, being sent to the 3k then sent back to the firewall. However I don't understand how this is possible as no unicast traffic does the same thing.
My multicast knowledge has been all learned through this project so I'm hoping I'm missing something that someone here will know from experience. Can anyone think of the cause? Any suggestions where to look?
No comments:
Post a Comment