https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195892#M36535 <DIV>Situation as follows: 2 x 3200 appliances on R80.30 jhfa take 237 (yes, I know). They were relocated over the weekend, external IPs changed, all good. Both appliances are up, active member is fine and passing traffic, ClusterXL reports all is well. The secondary appliance cannot ping its own default gateway, interface is up and topology is correct, no ARP entries at all, default route won't become active. Management cannot reach the box to put policy on (fw unloadlocal doesn't help). The link to the ISP is working, we've put a laptop on the same cable the FW was plugged into and given it the same IP and it works no problem.</DIV> Mon, 23 Oct 2023 10:19:03 GMT khodgson_bts 2023-10-23T10:19:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195892#M36535 <DIV>Situation as follows: 2 x 3200 appliances on R80.30 jhfa take 237 (yes, I know). They were relocated over the weekend, external IPs changed, all good. Both appliances are up, active member is fine and passing traffic, ClusterXL reports all is well. The secondary appliance cannot ping its own default gateway, interface is up and topology is correct, no ARP entries at all, default route won't become active. Management cannot reach the box to put policy on (fw unloadlocal doesn't help). The link to the ISP is working, we've put a laptop on the same cable the FW was plugged into and given it the same IP and it works no problem.</DIV> Mon, 23 Oct 2023 10:19:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195892#M36535 khodgson_bts 2023-10-23T10:19:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195893#M36536 <P>Can it ping if it becomes active?</P> Mon, 23 Oct 2023 10:21:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195893#M36536 _Val_ 2023-10-23T10:21:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195894#M36537 <P>We've not tried that yet. At the moment the site is live and we cannot have any downtime.</P> Mon, 23 Oct 2023 10:22:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195894#M36537 khodgson_bts 2023-10-23T10:22:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195897#M36539 <P>This may be normal, depending on the details of your configuration. With R80.40 and up, traffic from standby goes through sync interface towards the active member, see&nbsp;<SPAN>sk167453.</SPAN>&nbsp;</P> <P>Try running traces to see where packets are "lost".&nbsp;</P> Mon, 23 Oct 2023 10:35:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195897#M36539 _Val_ 2023-10-23T10:35:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195898#M36540 <P>All we are getting is "network unreachable" from traces and pings. Regardless of active/standby status, the device&nbsp;<EM>should</EM> be able to ping its own default gateway. The route is not even showing as active in the routing table.</P> Mon, 23 Oct 2023 10:45:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195898#M36540 khodgson_bts 2023-10-23T10:45:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195900#M36541 <P>Please look into the SK I already provided, you will see that it is a bit more complicated with ClusterXL</P> <P>Assuming you have policy installed on the new appliance, and the cluster is running in Active/Standby, it should be all good.&nbsp;<BR /><BR />However, by traces I mean, try to understand where exactly ICMP is broken. You can do that by running "fw monitor" on both standby and active cluster members. You can also check logs for drops of the relevant traffic.</P> Mon, 23 Oct 2023 11:06:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195900#M36541 _Val_ 2023-10-23T11:06:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195901#M36542 <P>Oh boy, I just re-read your post, you are running an unsupported R80.30. This changes everything.&nbsp;<BR /><BR />Please look into a similar thread in the community:&nbsp;<A href="https://community.checkpoint.com/t5/Security-Gateways/ClusterXL-standby-cannot-reach-gateway/m-p/25712#M1953" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/ClusterXL-standby-cannot-reach-gateway/m-p/25712#M1953</A></P> <P>&nbsp;</P> Mon, 23 Oct 2023 11:11:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-gateway-cannot-ping-its-default-gateway/m-p/195901#M36542 _Val_ 2023-10-23T11:11:35Z