Minimal Strikethrough Test

Troubleshooting Methodology

Step-by-Step Approach

Define the Problem Clearly:
- Which multicast group(s) are affected? Which source(s)?
- Are all receivers affected, or only some?
- Is the issue persistent or intermittent?
- When did it start? Any recent changes?
Verify Layer 1/2 Connectivity: Ensure physical links are up, and L2 connectivity (VLANs, MAC learning) is sound between hosts and the first-hop router (firewall), and between PIM routers.
Verify Receiver-Side (IGMP):
- Is the host attempting to join the group? (Check host logs/captures if possible).
- Is there an IGMP Querier on the host's segment?
```
> show routing multicast igmp interface 
```
  (Look for "Querier: yes" or the IP of the querier).
- Is the firewall receiving IGMP Membership Reports from the host?
```
> show routing multicast igmp group
```
```
> show routing multicast igmp statistics
```
  Packet capture on the host-facing interface for IGMP ( ip proto 2 ).
- Is IGMP enabled on the firewall's L3 interface facing the host?
```
> show routing multicast igmp interface 
```
Verify First-Hop Router (Firewall) PIM Behavior:
- If IGMP join is received, is the firewall sending a PIM Join upstream towards the RP (for *,G) or Source (for S,G)?
```
> show routing multicast pim join-prune
```
  Packet capture on the upstream PIM interface.
Verify PIM Adjacencies:
- Are PIM neighbors up between all routers in the path?
```
> show routing multicast pim neighbor
```
- Is PIM enabled on all relevant interfaces?
```
> show routing multicast pim interface
```
- Check for PIM Hello exchange with packet captures if neighbors are not forming.
Verify RP Configuration and Reachability (for PIM-SM):
- Is the RP information correct on all PIM routers? (Static, Auto-RP, BSR)
```
> show routing multicast pim rp
```
```
> show routing multicast pim bsr
```
  (if using BSR)
- Is there unicast reachability to the RP's IP address from all PIM routers?
```
> ping host 
```
```
> show routing route destination 
```
- If using dynamic RP (Auto-RP/BSR), check C-RP/C-BSR/MA status.
Verify RPF (Reverse Path Forwarding):
- On each PIM router in the path (including the firewall), check the unicast route to the source (for S,G state) or RP (for *,G state).
```
> show routing route destination 
```
- Does the RPF interface in the MFIB match the outgoing interface from the unicast route lookup?
```
> show routing multicast fib group  source 
```
Verify MFIB State:
- Check the MFIB on all PIM routers in the path, starting from the source's DR towards the receivers.
```
show routing multicast fib
```
- Is the correct (*,G) or (S,G) entry present?
- Is the incoming (RPF) interface correct?
- Is the Outgoing Interface List (OIL) populated with the correct downstream interfaces?
- Is the SPT bit set if expecting source tree switchover?
Verify Security Policies (Palo Alto Networks Firewall):
- Check Traffic logs for denies against the multicast group IP address as destination.
```
Monitor > Logs > Traffic (Filter: dst_addr eq  and action eq deny)
```
- Ensure an allow policy exists with correct source/destination zones, source IP (or any), multicast group IP as destination, and correct service/application.
Verify Source-Side:
- Is the source application actually sending multicast traffic? (Use packet capture on source segment).
- Is the source's DR correctly registering with the RP (for PIM-SM)? (Check RP's PIM Register state or MSDP SA cache if inter-domain).

Isolating the Problem

Work methodically from receiver to source, or vice-versa, checking each hop.

Receiver End: Host IGMP, first-hop router IGMP.
Network Core: PIM adjacencies, RP function, RPF checks, MFIB state propagation.
Source End: Source application, DR registration with RP.
Firewall Specific: Security policies, VR multicast config, interface PIM/IGMP config.

Divide and conquer. If a stream reaches router A but not router B, the problem likely lies between A and B, or on B itself.