Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sergio7
New Contributor

Created on ‎03-30-2023 09:42 AM Edited on ‎04-06-2023 02:05 AM

Multicast Routing over MPLS - join multicast group behind a Fortigate fails

Hi,

I'm actually a beginner in Multicast Routing and could need some help with the configuration of a FortiGate 60F Firewall. My goal is actually to configure R-GOOSE.

 

FortiGate 60F v7.2.3

Cisco Router: IR1101-K9 (IOS XE 17.06.04)
Cisco Switch: IE-3400-SP2S (IOS XE 17.09.02)

 

R-GOOSE is a version of the popular IEC 61850 peer-to-peer communications method that can be used for wide-area protection and control applications. While the principles remain the same, R-GOOSE uses UDP multicast as the transport mechanism.

R-GOOSE Applications in a Smart Grid (Dr. Alexander Apostolov)

 

My lab spreads over multiple sites, connected over MPLS Layer 3 VPN. Between PE and CE i'm using OSPF on all sites with the same VRF. In the MPLS Core i'm using OSPF for the Underlay Network.

Screenshot 2023-03-30 180654.png

 

 

 

 

To get multicast running over MPLS i followed the instructions from cisco. cisco link

I'm using PIM sparse-mode and configured a Rendezvous Point on both multicast routing domains. (VRF and MPLS CORE).

Multicast is working fine between the cisco routers. Here an example. The neighbour table of pim in my VRF and the test for multiple interfaces i joined to a multicast-address:

da.png

 

 

 

 

 

 

 

 

 

 

 

 

Here you can see that the firewall formed a pim neighbor with the R-PE16 router.

6.png

 

 

 

 

 

 

 

 

 

This is my actual multicast routing configuration on my fortigate:

2.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Multicast Policy on FortiGate:

Screenshot 2023-03-30 185024.png

 

 

 

 

 

 

 

 

 

 

 

 

1) I've configured the wan1 interface, that is actually in the zone "DOMOT" with the multicast join of 239.1.1.1.

Ping's not arriving at that interface. PING is activated on the Interface settings.

 

2) I also configured a router an connected it to the cisco switch (VLAN30 Access Port).

From here i want to send and receive these GOOSE Messages. On the interface i joined the same multicast address 239.1.1.1.

How can i verify that the fortigate multicast router noticed about that host/router that wants the multicast traffic from 239.1.1.1?

 

3) I also receive some igmp debug messages on PE router. But these are looking like the multicast routing protocols. They are not allowed to be routed over multicast!

3.png

 

On the multicast routing table R-PE16, i can see there is an entry from the interface IP of the fortigate!

mroute-on-16.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

IGMP Snooping is enabled on the switch.

4) Did i miss something?

 

Thanks

Sergio

 

Labels:
406
0 Kudos
8 REPLIES 8
Anthony_E
Community Manager
Community Manager

Created on ‎04-02-2023 09:57 PM

Hello Sergio,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
356
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎04-05-2023 10:01 PM

Hello Sergio,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
325
0 Kudos
djflynnuk
New Contributor II

Created on ‎04-06-2023 03:55 AM

Did you find an answer - I think I have the exact same issue!

314
0 Kudos
sergio7
New Contributor
In response to djflynnuk

Created on ‎04-06-2023 03:57 AM

Hi,

Not yet. I will inform you here if i solve the issue.

312
0 Kudos
djflynnuk
New Contributor II
In response to sergio7

Created on ‎04-06-2023 04:00 AM

thank you, likewise!

311
0 Kudos
djflynnuk
New Contributor II

Created on ‎04-06-2023 04:59 AM

Hi Sergio7,

not sure this will help you (but its helped) me, I've found removing the join-group statement entirely and using the static-group config instead works i.e.

 

config router multicast-flow
edit "a.b.c.d" (mcast group IP)
config flows
edit 1
set group-addr a.b.c.d (mcast group IP)
set source-addr a.b.c.d (mcast src IP)

 

config router multicast

config interface

edit "lan2"   
set pim-mode sparse-mode
set static-group "a.b.c.d" (mcast group IP)
config igmp
set version 2
end

 

If I enable the join-group nothing works.

 

306
sergio7
New Contributor
In response to djflynnuk

Created on ‎04-12-2023 08:49 AM

Hi,

 

I've tested it today. For me it doesn't solve my problem. After reading following Technical Tip:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-a-static-IGMP-group-entry/ta-p/1930...

It looks only necessary when the last device in the multicast group sends a "IGMP Leave Group message" to keep forwarding the multicast traffic on that port/interface.

 

Hmm will investigate further.


Thanks

222
0 Kudos
djflynnuk
New Contributor II

Created on ‎04-12-2023 08:51 AM Edited on ‎04-12-2023 03:42 PM

yes, its a static "always-on" binding. shame. 

edit: completely removing the join-group "fixes" this - IGMP signalling works from an end host as you'd expect.

So now I have it running correctly with no static-group or join-group config and just an end host IGMP'ing.

edit "lan2"
set pim-mode sparse-mode
config igmp
set version 2

# get router info multicast igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
<mcast-grp-ip> lan2 00:00:07 00:04:12 <lan-client-ip>

 

Best of luck!

220
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.