[AusNOG] Quick ASA question

Alex Samad - Yieldbroker Alex.Samad at yieldbroker.com
Wed Feb 25 17:24:45 EST 2015


Sorry I replied too quickly

Because it's my main prod router and my test router is not setup to be able to test this.

Thanks 

> -----Original Message-----
> From: Alex Samad - Yieldbroker
> Sent: Wednesday, 25 February 2015 5:23 PM
> To: 'Mark ZZZ Smith'; ausnog at lists.ausnog.net
> Subject: RE: [AusNOG] Quick ASA question
> 
> So I tried
> 
> http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-
> next-generation-firewalls/115804-asa-multi-probs-00.html
> http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/g
> uide/asa_84_cli_config/route_multicast.html#wp1067046
> 
> then tried searches for Drop-reason: (security-failed) Early security checks
> failed
> 
> But didn't actually find the answer I was looking for.
> 
> A
> 
> > -----Original Message-----
> > From: Mark ZZZ Smith [mailto:markzzzsmith at yahoo.com.au]
> > Sent: Wednesday, 25 February 2015 5:21 PM
> > To: Alex Samad - Yieldbroker; ausnog at lists.ausnog.net
> > Subject: Re: [AusNOG] Quick ASA question
> >
> > So what did the manual say about setting up multicast, and why haven't
> > you spent 5 minutes trying adding them to your ACL to see if that is
> > the cause of your problem?
> >
> >
> >
> > http://www.catb.org/esr/faqs/smart-questions.html#before
> >
> > ________________________________
> > From: Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com>
> > To: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
> > Sent: Wednesday, 25 February 2015, 16:20
> > Subject: [AusNOG] Quick ASA question
> >
> >
> > Hi
> >
> > I'm setting up multicast routing through an ASA5520.
> >
> > Once I turn on PIM, IGMP on an interface, does that allow IGMP and PIM
> > packets in on that interface or do I have to add them to my access list ?
> >
> > I know for some things, it auto adds thing, like OSPF, EiGRIP.
> >
> > Just when I try the packet trace command it fails
> >
> > Result:
> > input-interface: xxxx
> > input-status: up
> > input-line-status: up
> > Action: drop
> > Drop-reason: (security-failed) Early security checks failed
> >
> >
> > From my googling the error has something to do with reverse path look
> > up (when related to MC traffic ), but the src address of the IGMP/PIM
> > packet is from the local lan !
> >
> > A
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list