NGX R60 and Edge w/ WAN HA ??

[greyfeld]

Since I didn't get any responses in the Edge forum, I am reposting this here in hopes of getting some help.

I am in the process of evaluating a Crossbeam C25. It was running NGX so I needed to update my test lab SmartCenter Server to NGX as well. After accomplishing this (may detail those issues later) and getting the object for the new firewall created, I tried to push an existing policy to the new firewall. When it tries to verify the policy and write out the new .pf file, it fails with error: stub identifier (vpn_enc_domain) "ip addresses" redefined. There are several of these error messages.

Looking at the .pf file, I can see what is happening. We have created a couple of remote Edge Wan HA configurations. In these configurations, I have set up two Edge boxes with the same internet facing IP address through which we manage the boxes. I also have an object for each of these in the firewall since they have different MAC addresses, license numbers, etc. but both have the same IP address for their object. When NGX is creating the policy file for the Crossbeam, it is creating these stub identifiers for each firewall and there are two entries, Edge1a and Edge1b, with the same IP address. Pushing the policy fails everytime as it chokes when it verifies the lines where Edge1b's entries are.

These pairs are configured to have the same WAN interface IP address that is connected to our WAN. There are numerous VLAN's on the DMZ port and failover on a port VLAN on one of the LAN interfaces. There are objects for each Edge device that have the same IP address on the SMS. In NGAI R55, I would get a warning that another device had the same IP address when I saved changes to the object, but it didn't seem to have any effect on anything and it worked. They do not do any VPN either. Note that none of these actually exist in the test environment at this time. They are only objects in the SMS.

After migrating from R55 to NGX R60 HFA3 on the SMS, everything appeared to be fine. I configured the object for the Crossbeam box ok. I modified an existing object that we are going to replace with it and changed the IP address to be the management interface on the Crossbeam. So far, so good.
The problem arose when I tried to push an existing policy for the old firewall to the new one. The policy will verify ok, but fails on the installation with the following:

Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 20399: ERROR: stab identifier <sr_enc_domain> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 20400: ERROR: stab identifier <sr_enc_domain_valid> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 20401: ERROR: stab identifier <vpn_enc_domain> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 20402: ERROR: stab identifier <vpn_enc_domain_valid> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 21197: ERROR: stab identifier <vpn_routing> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 21200: ERROR: stab identifier <vpn_enable_routing> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 21201: ERROR: stab identifier <vpn_enable_internet_routing> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 22060: ERROR: stab identifier <sdb_edge_clusters> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 22144: ERROR: stab identifier <om_protected_group> for host XXX.XXX.XXX.251 redefined

The IP addresses correspond to the IP addresses of the Edge WAN HA pairs. It appears that it doesn't like the two Edge objects having the same IP address for management. I tried deleting two of the six Edge pairs and they no longer showed up in the error message. Changing the IP address of one member of the WAN HA pair solves the problem and allows me to push a policy to the Crossbeam. The problem is that they are configured that way in the production environment, so I need to figure out some way to make it work. Any suggestions? I can't find anything on this through Google, Checkpoint Knowledge Base or the user group forums. No, I don't have a support contract either. Thanks.