Hi Kaspars,  Next hop is same as active member 

In active member default route is showing but not showing on standby member

Hi Vanesa,  yeah i enabled ping on static route and i'm using single default route

Hi Vanesa,

Many many thanks to you , As of now issue resolved. i disabled ping on default route both firewall have default route.

Thanks again for your support !

Thanks Vladimir, Update showing in CPUSE, Will install As soon as possible.

Well, it will only show route if the interface is connected and the next hop reachable.

If you cannot get to the 10.10.10.4, I'd suggest looking into that.

Possible misconfiguration on the switch side. I.e. access instead of trunk, incorrect VLAN membership, no IP assigned to the VLAN interface, etc...

Thanks Vlad but ...

1. there is no switch in between - just int to int between one firewall and another (Fortigate <-> CheckPoint)

2. there are no L2 configs - just plain static route but when querried ip r g 192.168.16.0 it shows totally diff. direction - via eth1 (wrong!)

3. L1 is just fine (links are up) and both interfaces are blinking green

next hope should be reachable as it is configured plainly as eth1 on Forti with 10.10.10.4/29 with static route against nets behind CP with next hope 10.10.10.3

any ideas chaps?

Tell me if the eth3 is defined in the cluster topology as a "Non-clustered monitored" interface.

eth3 is indeed defined as "Private" as it is not Clustered nor Sync interface.

thing is that this Fortigate 80C is driving me mad already, got routes in place, acl's in place on both FWs but still no go,

arp table on CP Cluster shows mac from 10.10.10.4 hosts on respectful interface:

[Expert@CP01:0]# arp -an
? (10.10.10.4) at 00:09:0F:DC:2E:13 [ether] on eth3

but still I'm not only unable to ping above host but olso not able to ping anything behind (192.168.16.0/24 net) which is a desirable goal here

If you have a physical access to the equipment, why not connect directly to the Fortigate's port from the laptop and determine if it is working as intended?

I do not think that the cphaprob -a if should be showing "Disconnected".

The problem may very well be in Fortigate's config.

I'll find out next week just made following recommendations to the "Fortigate Team" in New Zeland

- connect little 4-8 port switch to the Fortigate DMZ Port

- connect pachcords between two eth3 ports from CheckPoints to the swithc

- connect pachcord between one dmz port from Frotigate to the switch

- let me know when done

I've made a Cluster with VMAC on ClusterXL with 10.10.10.1 (2/3 physicals) and let's see how it goes when little switch arrives

Unfortunately I have no ways ot flying over there just for few days (not now!) as this site is very remote (Hamilton NZ) and the IT Team is just on-demand helping me with the migrations.

Thanks Vlad anyway, I'll keep you posted when next week "little netgear switch" won't solve my problems. I do know that theoretically it should work but this is the peering ClusterXL with Fortigate over 1G cooper port  super simple and complicated at the same time LOL

have a good weekend!

Beware of the "little netgear switch(es)", those suckers are known to be flaky.

Just had three of those yanked out from my home lab and replaced with Meraki gear.

ok. here is a proper update for you all, should anyone knows what a heck I'm doing wrong (*wink*) - do let me know

obviously I was following IN DETAIL sk86582 but,:

exec ping 10.10.10.1 (from Fortigate CLI on 10.10.10.4)

5 packets transmitted, 0 packets received, 100% packet loss

whilst on zdebug on CP Cluster:

;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=1 10.10.10.4:2048 -> 10.10.10.1:5649 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

when $FWDIR/lib/crypt.def (on SMS + successfuly pushed is like following:

vpn_exclude_src1={<192.168.16.0,192.168.16.254>};

vpn_exclude_dst1={<a.a.a.1,a.a.a.254>};

vpn_exclude_src2={<10.10.10.0,10.10.10.255>};

vpn_exclude_dst2={<10.10.10.0,10.10.10.255>};

vpn_exclude_src3={<a.a.a.1,a.a.a.254>};

vpn_exclude_dst3={<192.168.16.0,192.168.16.254>};

with following in a proper place as well:

((src in vpn_exclude_src1) and (dst in vpn_exclude_dst1)) and ((src in vpn_exclude_src2) and (dst in vpn_exclude_dst2)) and ((src in vpn_exclude_src3) and (dst in vpn_exclude_dst3))

ps. all in right space, spot and policy installed - just simply DOES NOT WORK and I cannot ping whatever direction I'll take based on the exclude_objects from above.

any clue chaps ?

also:

[Expert@CP01:0]# tcpdump -nni any host 10.10.10.4
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
01:29:02.431263 IP 10.10.10.4 > 10.10.10.3: ICMP echo request, id 512, seq 0, length 64
01:29:03.422064 IP 10.10.10.4 > 10.10.10.3: ICMP echo request, id 512, seq 256, length 64
01:29:04.421712 IP 10.10.10.4 > 10.10.10.3: ICMP echo request, id 512, seq 512, length 64
01:29:05.421711 IP 10.10.10.4 > 10.10.10.3: ICMP echo request, id 512, seq 768, length 64
01:29:06.421711 IP 10.10.10.4 > 10.10.10.3: ICMP echo request, id 512, seq 1024, length 64
01:29:07.421659 arp who-has 10.10.10.3 tell 10.10.10.4
01:29:07.421688 arp reply 10.10.10.3 is-at 00:1c:7f:83:2f:76