[mcnallym]

There are two ways that you can fix this. Is actually an excellent answer in the RSA and the Check Point knowledgebase. The problem is that you don't always know which IP the Nokia will send to the RSA Server.

In some cases, the agent libraries (client side) will use the wrong interface IP in the decryption and authentication will fail. To overcome this, place a new text file "sdopts.rec" next to "sdconf.rec" with the line "CLIENT_IP=x.x.x.x" where "x.x.x.x" is the agent's primary IP as defined on the server (the IP of the interface that the server is routed to).

Use the vrrp address and place the sdopts.rec file on both boxes. It is what I do personally and works well. You will also need to copy the sdconf.rec file from the master to the secondary unit if you use the vrrp address

Check Point actually say to use the members IP address and have an entry for each box, saving the need to copy the sdconf.rec file. However I find you have to tell the box not to NAT doing this

To prevent the cluster member from hide NATing its unique IP, add the line "no_hide_services_ports = { .., <5500, 17> };" to the $FWDIR/lib/table.def file on Management Server and install policy.

the changes are lost when you upgrade the box so personally stick with using one entry and the cluster ip address in the sdopts.rec as it works across the upgrades as well.