[fdamstra]

I wanted to post an update to this, as some further experiments have determined that this is a problem related to ClusterXL Unicast Load-sharing.

We tried with a couple different IP addresses that ended in .255. We found that sometimes it would work for one vlan, sometimes for the other, and sometimes for neither. Further investigation revealed that when the traffic went through the pivot, the connection was successful, but when it went through the secondary firewall, the connection was unsuccessful.

So, we did a 'cpstop' on the pivot (failed over to the secondary), and all traffic was successful. Similarly with failing over to just the primary firewall. Provided there is only one node in the cluster, the traffic is successful.

We are planning on moving to new mode high availability to see if this solves the problem. Even so, we have enough traffic going through these firewalls that that's not an ideal solution, so we're continuing to push CheckPoint support for a fix.

(Sidenote: We're running Load Sharing Unicast because Load Sharing Multicast prevented all traffic to Cisco devices, though all other hosts seemed to be fine)