You need to ensure valid RPF information with the Virtual Redundancy Router Protocol (VRRP) running on the upstream routers.
Run a dynamic routing protocol for a successful RPF check:
set protocol ospfFIREWALL-A(trust-vr/ospf)->
set interface bgroup0 protocol ospf area 0.0.0.0FIREWALL-A->
set interface bgroup0 protocol ospf enableFIREWALL-A->
set interface ethernet0/0 protocol ospf area 0.0.0.0FIREWALL-A->
set interface ethernet0/0 protocol ospf enable
In a scenario with a single next hop to an RP or source, static routes in the firewall will work just fine. But, to handle the issue of gateway redundancy, VRRP is often used to provide a virtual gateway. You can see this topology in Figure 20-9.
Figure 20-9 shows a firewall connected to a set of multicast listeners. The routers upstream are running VRRP, and the firewall points a static default route to the virtual IP (VIP) address to ensure that connectivity is maintained in the event of a failure. The problem with this scenario is that PIM requires the RPF to the RP or source to point to the PIM neighbor address. In this scenario, the PIM neighbors of the firewall are at
10.5.5.252. Because the default route points to
10.5.5.254, the RPF check will fail, and PIM will not be able to perform RP mapping or join/prunes to any interested groups. To accommodate this, ...