[Noidea]

Hello,

We have the same problem. When analysing traffic we saw that the passive member is answering with his VIP adress, which causes the next packet to be routed to the Active member, and therefore the connection fails.

This also makes it impossible to do for example NTP updates from the passive member, as he is going to send out his NTP requests using his VIP as source, and the reply will come to the active member.

sk31607 discribes this issue. This seems to be the case from:

VPN-1 Pro (VPN-1/FW-1) NGX R65
VPN-1 Pro (VPN-1/FW-1) NGX R60 (since HFA_05).
VPN-1 Pro (VPN-1/FW-1) NG with AI R55 HFA_19.

To enable/disable this feature, you have to change the global parameter
fwsm_dlpi_notification from '0' (default value) to 1.

Now... In our case, the parameter IS set to 0 ( default ) but the passive module is still sending out requests from it's VIP.

Anyone an idea?