Created on 09-13-2023 01:54 AM Edited on 09-13-2023 02:21 AM
Description | This article describes the troubleshooting steps to check when IGMP snooping is not working as expected. |
Scope | FortiSwitch v6.4.x and above. |
Solution |
Before beginning, it is important to go through the below links, it contains important information: Configuring IGMP-snooping settings
It is recommended to have FortiSwitch on the latest version as there will be bug fixes in the latest releases. For example: Bug# 833450 https://docs.fortinet.com/document/fortiswitch/7.2.4/release-notes/255778
Refer to the below use case in this KB article, and follow the configuration and troubleshooting steps. For example, the issue is that the IPTV multicast is not working, TV is not receiving the streaming service.
Setup: FortiSwitches are managed by FortiGate. TV is trying to join multicast address 239.241.1.1. IPTV receiver and server/sender are on the same VLAN for eg. vlan2.
Refer to configuration and troubleshooting steps:
Configuration on FortiGate:
config system interface edit vlan2 set switch-controller-igmp-snooping enable set switch-controller-igmp-snooping-proxy enable next end
config switch-controller managed-switch edit <FortiSwitch_serial_number> config igmp-snooping set local-override enable set flood-unknown-multicast disable config vlans edit vlan2 set querier enable set querier-addr <IPv4_address> <----- This can be the IP address of the vlan2 interface on the FortiGate. set version {2 | 3} end end
By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to router ports. If flood-unknown-multicast is enabled, unregistered multicast packets are forwarded to all ports in the VLAN. Enable this for testing purposes during troubleshooting
config switch-controller storm-control
Configuration on FortiSwitch:
For example: Refer to the diagram, the ports marked in red are ISLs. Check config on the ISL interface by taking CLI access to each FortiSwitch and executing the below commands:
show switch trunk show full-config switch interface <trunk name>
set igmp-snooping-flood-reports disable set mcast-snooping-flood-traffic disable
It is possible to enable these options on the FortiLink trunks of the FortiSwitches for testing purposes during troubleshooting.
config switch interface edit <trunk name> set igmp-snooping-flood-reports enable set mcast-snooping-flood-traffic enable end
Troubleshooting on FortiSwitch:
get switch igmp-snooping group
On Access FSW1 -> the multicast address learned on port3 is visible. On Core FSW1, Core FSW2, and Access FSW2 ->Tthe ISL trunks learning the multicast address 239.241.1.1 from Access FSW1 is visible. On Core FSW1, Core FSW2, and Access FSW1 -> The ISL trunks learning the querier address configured on Access FSW2 is visible. On Access FSW2 -> The querier learnt on port3 is visible.
diag sys top -- ctrl + c to stop ( check if the multicast/igmp process is going high or not) diag debug crashlog read – check for any multicast/igmp crash
If the igmpsnoopingd process is in a stuck state, it is possible to try killing the process:
# fnsysctl ps - check for igmpsnoopingd PID and try to kill the process. 1036 0 45964 S N /bin/igmpsnoopingd # diag sys kill 9 1036
diag debug report show full-config
In a network with more FortiSwitches, collect the above logs from the core FortiSwitches and access FortiSwitches where the sender and receiver are connected. In the case of multi-tier mclag-icl setup, collect the logs from distribution FortiSwitches as well.
Disclaimer: The configuration and troubleshooting approach may vary depending on the Network Setup(FSW topology and multicast service system). |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.