checkpoint and multicast traffics

[cciesec2006]

I have a requirement to make multicast work across Checkpoint
firewalls NGx R65 with HFA_02 SPLAT ASAP.

Scenario:

I have a Windows Media Server on VLAN_A. VLAN_A is in
IP address of 192.168.1.64/28. Windows media server
IP address is 192.168.70/28. Windows media server's
default gateway is 192.168.1.65.

I have a Cisco router 3845 running IOS 12.4. This
cisco router is in both VLAN_A and VLAN_B. In VLAN_A,
the router has an ip address of 192.168.65/28. In VLAN_B,
it has an IP address of 192.168.1.4/28. The router
has a default gateway of 192.168.1.1.

I enable multicast PIM dense mode on the router. Hosts
on VLAN_B can get multicast audio/video streaming from
the Windows media server without any issues.

I have a pair of checkpoint NGx R65 with hfa_02 SPLAT
firewalls running in Active/Active mode. Internal
network is VLAN_B. External network is in VLAN_C.
Sync connectivity is in VLAN_D, as follows:

fwA = 192.168.1.2/28, 192.168.0.2/24, sync( 10.1.1.1/28)
fwB = 192.168.1.3/28 192.168.0.3/24 sync (10.1.1.2/28)
VIP = 192.168.1.1/28 192.168.0.1/24


I have SPLAT PRO on the enforcement modules so PIM is there.
I have rule on the firewall to allow EVERYTHING. In other
words, it is "Any Any Any Accept log".

Hosts on VLAN_C can get to hosts on VLAN_A without any ssues.
The issue is that I can NOT get multicast traffics to go across
the firewall. When I am on the router, I see this:

Cisco>sh ip pim nei
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
S - State Refresh Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
192.168.1.1 FastEthernet1/0 07:57:10/00:01:35 v2 1 / DR
Cisco>

On the SPLAT firewall, I see this:
localhost.localdomain#sh ip pim nei
PIM Neighbor Table
Neighbor Address Interface Uptime Expires Mode
192.168.1.4 eth1 2d18h 00:01:29 dense
localhost.localdomain#


What it means is that both the firewall and the router can see each other as
PIM neighbor but multicast traffics do not work.

Anyone know why?

[chuachongchee]

Quote:

Originally Posted by cciesec2006

I have a requirement to make multicast work across Checkpoint
firewalls NGx R65 with HFA_02 SPLAT ASAP.

Scenario:

I have a Windows Media Server on VLAN_A. VLAN_A is in
IP address of 192.168.1.64/28. Windows media server
IP address is 192.168.70/28. Windows media server's
default gateway is 192.168.1.65.

I have a Cisco router 3845 running IOS 12.4. This
cisco router is in both VLAN_A and VLAN_B. In VLAN_A,
the router has an ip address of 192.168.65/28. In VLAN_B,
it has an IP address of 192.168.1.4/28. The router
has a default gateway of 192.168.1.1.

I enable multicast PIM dense mode on the router. Hosts
on VLAN_B can get multicast audio/video streaming from
the Windows media server without any issues.

I have a pair of checkpoint NGx R65 with hfa_02 SPLAT
firewalls running in Active/Active mode. Internal
network is VLAN_B. External network is in VLAN_C.
Sync connectivity is in VLAN_D, as follows:

fwA = 192.168.1.2/28, 192.168.0.2/24, sync( 10.1.1.1/28)
fwB = 192.168.1.3/28 192.168.0.3/24 sync (10.1.1.2/28)
VIP = 192.168.1.1/28 192.168.0.1/24


I have SPLAT PRO on the enforcement modules so PIM is there.
I have rule on the firewall to allow EVERYTHING. In other
words, it is "Any Any Any Accept log".

Hosts on VLAN_C can get to hosts on VLAN_A without any ssues.
The issue is that I can NOT get multicast traffics to go across
the firewall. When I am on the router, I see this:

Cisco>sh ip pim nei
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
S - State Refresh Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
192.168.1.1 FastEthernet1/0 07:57:10/00:01:35 v2 1 / DR
Cisco>

On the SPLAT firewall, I see this:
localhost.localdomain#sh ip pim nei
PIM Neighbor Table
Neighbor Address Interface Uptime Expires Mode
192.168.1.4 eth1 2d18h 00:01:29 dense
localhost.localdomain#


What it means is that both the firewall and the router can see each other as
PIM neighbor but multicast traffics do not work.

Anyone know why?

Run "fw ctl zdebug drop" and see if anything is being dropped?

Next, try to configure multicast routing under topology of the cluster object? See if that helps?