Hi Bartlett Why do you need the following on GM:
ip igmp join-group multicast_address ip multicast-routing When the GMs downloads the rekey policy, it starts listening to the multicast address sent the KS though the ACL having the multicast address. There is no need to enable multicast routing and join-group. Either ASA should be configured as SMR-IGMP proxy where is just forwards the IGMP or make the ASA as part of the mutlicasting routing.\ With regards Kings On Tue, Mar 9, 2010 at 4:48 PM, Bartlett Graham A < [email protected]> wrote: > From my notes with the KS on the inside of the ASA, from memory this > worked and the rekey was performed using multicast. I'm not 100% sure if > this is the correct config, but I know that it worked for me.. > > On the ASA > > you need an ACL to allow multicast traffic in. > pim multicast-routing > pim rp-address address_of_KS > > on KS > > ip multicast-routing > ip pim sparese-mode > ip pim rp-address address_of_KS > > on GM > > ip igmp join-group multicast_address > ip multicast-routing > > ------------------------------ > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Michael Davis > *Sent:* 09 March 2010 11:03 > *To:* Badar Farooq > > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] GETVPN and multicast through ASA > > Hi – Yes it took a while. It has stopped working. When I issued the > “clear crypto isakmp” command it stopped working. So now I can try to work > out how to get the multicast through the ASA. > > > > *From:* Badar Farooq [mailto:[email protected]] > *Sent:* Tuesday, March 09, 2010 9:56 PM > *To:* Michael Davis > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] GETVPN and multicast through ASA > > > > Well, the registration would work fine. Reduce the rekey restransmit time > to minimum and run debugs on the GMs to see if you are receiving rekeys once > they are retransmitted. ( alternatively, you can change the ACL to force a > rekey). But remember, clearing GDOI on GMs or any change on GMs will cause > re-registration which will work fine. (Its unicast and in opposite > direction) > > With ASA in between multicast rekey should NOT work. But lets first make > sure its not working and then we can implement the workarounds later. > > On Tue, Mar 9, 2010 at 1:49 PM, Michael Davis < > [email protected]> wrote: > > Hi Everyone – I configured a GETVPN using 3 1760’s running 12.4 (15)T. I > put an ASA 5510 between the KS and the 2 GM’s. I set the keying as unicast > which worked fine. I changed the keying to multicast and it is still > working?? Shouldn’t I have to do something on the ASA to pass multicast > traffic for GETVPN. I vaguely remember Tyson doing this in the bootcamp to > make it work so I am a bit confused. > > Can anyone please clarify what we need to do if a getvpn using multicast > keys traverses an ASA or another router? > > Thanks > > Michael > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > "This e-mail is intended for the recipient only. If you are not the > intended recipient you must not use, disclose, distribute, copy, print, > or rely upon this e-mail. If an addressing or transmission error has > misdirected this e-mail, please notify the author by replying to this > e-mail." > > "Recipients should note that all e-mail traffic on MOD systems is > subject to monitoring and auditing." > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
