[AusNOG] Quick ASA question

[Alex Samad - Yieldbroker]

So I tried

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115804-asa-multi-probs-00.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/route_multicast.html#wp1067046 

then tried searches for Drop-reason: (security-failed) Early security checks failed

But didn't actually find the answer I was looking for.

A

> -----Original Message-----
> From: Mark ZZZ Smith [mailto:markzzzsmith at yahoo.com.au]
> Sent: Wednesday, 25 February 2015 5:21 PM
> To: Alex Samad - Yieldbroker; ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] Quick ASA question
> 
> So what did the manual say about setting up multicast, and why haven't you
> spent 5 minutes trying adding them to your ACL to see if that is the cause of
> your problem?
> 
> 
> 
> http://www.catb.org/esr/faqs/smart-questions.html#before
> 
> ________________________________
> From: Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com>
> To: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
> Sent: Wednesday, 25 February 2015, 16:20
> Subject: [AusNOG] Quick ASA question
> 
> 
> Hi
> 
> I'm setting up multicast routing through an ASA5520.
> 
> Once I turn on PIM, IGMP on an interface, does that allow IGMP and PIM
> packets in on that interface or do I have to add them to my access list ?
> 
> I know for some things, it auto adds thing, like OSPF, EiGRIP.
> 
> Just when I try the packet trace command it fails
> 
> Result:
> input-interface: xxxx
> input-status: up
> input-line-status: up
> Action: drop
> Drop-reason: (security-failed) Early security checks failed
> 
> 
> From my googling the error has something to do with reverse path look up
> (when related to MC traffic ), but the src address of the IGMP/PIM packet is
> from the local lan !
> 
> A
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog