Description
This article explains how to analyze and troubleshoot multicast sessions on a FortiGate using FortiOS 5.0 5.2 and 5.4. A new feature has been introduced in 5.4 to have a better overview of multicast sessions.
Scope
FortiGate.
Solution
Prior to FortiOS 5.4:
FortiOS 5.0 and 5.2 do not have multicast session structure in the kernel, meaning it is not possible to observe the multicast sessions.
There is actually a workaround on platforms which support multicast offloading (platform based on NP6, CE4, XE2, XG2 and XH0). Multicast traffic can be offloaded when the FortiGate participates in multicast routing, meaning that multicast-router has to be enabled.
In this case, the following command can be used to observe multicast sessions offloaded to the ASIC:
diagnose ip multicast npu-session list
The output looks like this:
vf=1, hash_index=2, iif/oif=39/42, in_vtag/out_vtag=32988/33988,0x0a010101(55334)-->0xef010101(60400):17 ==> 0x0a010101--> 0xef010101 expire=173
- 0x0a010101 is the source IP in hexadecimal: 10.1.1.1.
- 0xef010101 is the destination IP (multicast group) in hexadecimal: 239.1.1.1.
- iif/oif=39/42 inbound interface index 39: outbound interface index 42 (use 'diagnose netlink interface list' to find the interface name from the index).
- expire=173: the session will be deleted in 173 seconds if no further packets match the session.
When source NAT is applied in the multicast firewall policy:
vf=1, hash_index=2, iif/oif=39/42, in_vtag/out_vtag=32988/33988,0x0a010101(55334)-->0xef010101(60400):17 ==> 0x96010101--> 0xef010101 expire=178
- 0x96010101 is the source NAT IP in hexadecimal: 150.1.1.1.
After FortiOS 5.4:
FortiOS 5.4 has introduced a multicast session structure in the kernel, it is now possible to see a session even if it is not offloaded to the ASIC.
The command to display multicast sessions table is:
diagnose sys mcast-session list
The output looks like the following:
vf=1 index=0 proto=17 10.1.1.1.1024->239.1.1.1.60400
indev=68 act_num=1 duration=8 expire=179 pkts=840331 bytes=686550427
session-npu-info: offload=1 flags=0x00000001
ipid/vlifid=146/146 vlanid/vtag_in=2200/2200 in_npuid=1 tae_index=268 qid=0 fwd_map=0x00000000
act1: outdev=71 nsaddr=150.1.1.1, ndaddr=0.0.0.0
act-npu-info: ipid/vlifid=146/146 vlanid/vtag_in=2200/2200 in_npu_id=1, out_npuid=1 epid=147 fwd=0
- 10.1.1.1: source IP.
- 239.1.1.1: destination IP.
- pkts=840331 bytes=686550427: packets and bytes counters.
- offload=1: this session is offloaded.
- indev=68: ingress interface.
- outdev=71: egress interface.
- nsaddr=150.1.1.1: source NAT IP.
- ndaddr=0.0.0.0: destination NAT IP, no DNAT here.
vf=1 index=0 proto=17 10.1.1.1.1024->239.1.1.1.60400
indev=68 act_num=1 duration=8 expire=171 pkts=0 bytes=0
session-npu-info: offload=0 flags=0x00000002
ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npuid=0 tae_index=0 qid=0 fwd_map=0x00000000
act1: outdev=71 nsaddr=150.1.1.1, ndaddr=0.0.0.0
act-npu-info: ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npu_id=0, out_npuid=0 epid=0 fwd=0
- offload=0: this session is not offloaded (no compatible ASIC or auto-asic-offload disable in the firewall multicast policy).
Run the following commands and check the multicast status:
diagnose sys mcast-session list
diagnose ip multicast npu-session list
diagnose ip multicast mroute
