Hi guys,

I've got a star community between my Checkpoint cluster (R77.30) and Amazon AWS (2 satellite gateways with their different public IP addresses). Both satellite gateways share the same encryption domain.
The tunnel has been up and running for a few months. When running "vpn tu" on CLI, you can see both IKE and IPSEC SA's for both satellite gateways.

Yesterday one of the AWS nodes went down/got crazy. The SA's to that gateway were not showing up as the tunnel was down. OK, the thing is that the Checkpoint did NOT start to route the traffic towards the encryption domain through the secondary gateway/tunnel. The only way to make it work was to take the problematic AWS gateway our of the community, and install policy.

Both are working now, but i'd like to find out what's going on, and why the CP didn't route the traffic through the other gateway when both have the same encryption domain and one of them was down (no SA active).

Someone can shed some light on this?