Loss of internet connectivity after policy push

[dwmaas]

Hi,
I am adding to this post since this is similar to a problem I am seeing with my secureplatorm R55 HFA-17 active/active cluster. We use automatic nats and have a manual NAT rule that does not nat between management and firewalls.

Upon completion of policy push, we loose connectivity to the next hop router. I ping the router from the firewall during the push, the ping stops upon completion of the push. I try to re-push with no change. I have to perform a reboot of both firewalls to re-establish connectivity again.

This just started a few days ago, and we have not seen this before.
Any ideas of what the issue maybe or what I can do?

[RayPesek]

Check "fw ctl arp" before and after the policy push. See if you're losing ARP resolution for the router. Is the default route set to point to the router? If you take one gateway down, does it work OK?

Ray

[dwmaas]

Thanks. I will try that the next time I push a policy.
Yes the inet router is set as default route.
Yes, currently I have 1 member down, and this seemed to work but then it happened again with the one down.

[cciesec2006]

I experienced the exact same issue you referred to. I am also running
SPLAT on HFA_17 as well. I had to do the following to fix it:

1- perform cpstop on both firewalls:
2- cd $FWDIR/state
3- mv * /var/tmp
4- reboot both firewalls
5- repush policy to the cluster

It fixed my issue. Hopefully, it will fix yours as well.