Support Center > Search Results > SecureKnowledge Details
Fail to establish multicast PIM toward Cisco HSRP Technical Level
Symptoms
  • Multicast between Security Gateway and Cisco routers in HSRP mode fails, and multicast packets are ignored even when the neighbor is up and accessible.
Cause

When a Cisco HSRP pair faces Check Point routers. a static route is configured to point to the HSRP VIP. However, the Ciscos send PIM hello messages using the physical IP. Multicast control messages work only when the unicast and multicast topologies are congruent, i.e., the unicast nexthop to an IP matches a PIM neighbor. Since the Cisco is not sending PIM hellos with the HSRP source, this configuration does not work.

Refer to Cisco's documentation regarding this issue.  


Solution

To test, do the following:

  • Change the static route to point to Cisco HSRP active member's physical IP address. Check if the multicast control traffic works. If it works, proceed to configure the static route with two different next hops toward the physical IPs of the Cisco. Set different priorities for each next hop and enable the ping option for the static route. When the physical IP of the active goes down, the route will update to the physical IP of the standby.


  • Static routes for the Multicast sources should also be pointed towards the DR HSRP router.

Permanent Solution:

Upgrade the Cisco routers to a version that sends PIM messages with the HSRP VIP as the source IP address. 

Cisco calls this feature "HSRP Aware PIM", about which you can read here.   

Note: Field experiences show that even with this enhancement, the Cisco routers send PIM Hellos with the physical IPs. Check Point routers see three PIM neighbors, the VIP and the two physical IPs. In addition, the Cisco routers conduct PIM Assert battles among themselves using their physical IPs as the PIM packets’ source IP. The Assert timer may cause undesired Prune(s) to be sent upstream during Cisco HSRP failover. To fully optimize upstream network segment, it is strongly recommended to configure the firewall to drop PIM messages from the Cisco HSRP physical IPs. Check Point routers would then only see one PIM neighbor (Cisco VIP).

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment