This sounds somewhat strange,  cluster policies should be more or less identical for all cluster members.
Normally there should be no reason why one gateway would drop traffic which the other members let pass.
So you might want to check some things.

Is the cluster ok?
->> check all clustermember interfaces are shown up for both cluster members. (cphaprob stat)
->> check the cluster is synced
(see the "monitoring delta synchronization" section inside the R80.30 CLI Reference Guide)
-> use 'show cluster statistics sync' from clish ( or 'cphaprob syncstat' from expert mode)

Is the traffic truly blocked?
- Verify that with smartlog, if smartlog doesn't show a thing go for fw monitor or cppcap.
If it is blocked check why  -> usually it antispoofing and/or incidentally a clustermember object was used instead of the cluster object inside the firewall policy. If it's antispoofing, check that it is allowed inside according antispoofing group and also that there is no asymmetric routing in place.
Checkpoints are by default acting stateful, therefore it will drop asymmetric traffic.(traffic arrives at one interface/ip and derrives from another interface/ip at server side) most of the time that happens if the server default routes are pointing towards another interface. The Firewall will consider this as new connection and because it never received a TCP-SYN for the connection it will drop the traffic. If you're unable to change the routing, you can define exceptions, please be aware that this can become nasty with ips blade enabled. A clean routing should be always the preferred solution.


If it's not blocked by the policy the arp caches on server side might be an issue.
By default ClusterXL uses the gateways mac and sends gratitious arp, when failing over. If the arp caches on server side have a long expiration timer it might happen that server still tries to send ethernet frames towards the mac of the previous active cluster member or expects them from the old mac. 
A short term work around from server side is pinging the gateways ip address, this should renew the arp entry on server side. Under circumstances you might have to flush the arp caches on the server depending on the installed os.  -> check arp table on server side
If that is your issue you can work around longterm using virtual mac addresses. (see sk50840)

HtH

Hi,

I have enabled VMC and cleare ARP caches of all the connected ports of adjacent L3 switches. But still no luck.

Try all the following from Member 1 while it is active.

As mentioned earlier you'll need to use tcpdump -e to verify the inbound destination MAC address is correct when Member 1 is active.

If you have verified that, next step is to verify that the traffic is reaching the Firewall Worker (INSPECT) with fw monitor -F, in particular the "i" capture point.  If packets are showing up in tcpdump but not reaching "i" you have some kind of inbound layer 2 networking problem like ARP.

If the traffic is reaching "i", next step is to run fw ctl zdebug drop which will display all traffic dropped by INSPECT/SecureXL in real time and the reason.

If the traffic is not being dropped, use fw monitor to verify the traffic is reaching "i" then "I".  You should next see that packet enter "o" but if it doesn't, you have a layer 3 routing problem in Gaia.  

In fw monitor -F assuming the packet reaches "o" it should next go through "O".  If it goes through "O" but does not appear in a tcpdump on the egress interface or actually get transmitted to the network, you have an outbound layer 2 networking problem, such as the inability to form an IP-MAC mapping for the next-hop router or destination.