Strange behaviour pushing policy to cluster

[GastonBougie]

Hi,
I've set up a vmware network with 2 managements and 2 firewalls.
The managements work ok as active/standby.
The firewalls work ok when they are separate ones.

Now, when I make the 2 separate firewalls as one cluster and want to push the policy to it, it gives me an error messange:
--------------------------------------------------------------


fw-cluster NGX R65 Advanced Security

The Topology information must be configured for object fw01, interface eth0, in order to use the Anti-Spoofing feature.

Warning: Anti-Spoofing is not configured for some interfaces and gateways.
This will allow address spoofing through these gateways.
Anti-Spoofing should be configured on the following objects: Gateway: fw01, Interface: eth0

Operation ended with errors.
--------------------------------------------------------------

I know how to configure anti-spoofing.
Strange thing is. When I edit the topology, and modify fw01, the error message complains about fw02. So when I modify fw02, it complains back to fw01. With modify I mean, change the subnet and IP adres to something different, and change it back diretly, just to provoce him to setup the interface again.

The firewalls are splat installations, nothing special, just a clean install.
It did work before several times, but just now it doesn't and I was curious about why it complains.

In the web-interface I've check every interface and routing settings.
I hope somebody has been there before ;) as I can use any help.

Some edits along the way:
[fw01]# cphaprob -a if
HA module not started.

cpconfig: Enable cluster membership for this gateway

detached firewalls from cluster.
delete cluster
configure topology again on eth0 on both fw's as this dissapears when removing from cluster.
push policy to both firewalls (this goes always ok)
rebuild the cluster,
push policy to cluster, and again the above error.

-------------------------------------------------------------

Problem solved:
In the web-interface, I've entered an extra routing, which I needed for my internal ntp and dns servers to reach.
The route has been tested, and worked ok.
Smartdashboard uses these extra routes also for creating an anti-spoofing group,
so the routed network and the interface network are both included in this anti-spoofing group.. great stuff..all fine.
But for some reason, it doesn't work when I create a cluster with an extra route entered in the webinterface.
So, deletion of the extra route, re-create SIC, recreate fw object and the cluster.... Now everything is fine.

Hope it can help someone... someday.