Hello,

I have the following situation. The customer has 2 Data centers with a pair of gateways in each forming 2 clusters (R80.30 JHF 237, one is kernel 2.16, the other 3.10) managed by the same CP management (also R80.30 but not sure the HF). Both clusters face Internet from different ISPs and has different VPN pools and receives the same security policy. 

The customer's demand is their workers to use cluster1 as their RA cluster and cluster2 to be used for mobile access portal for their end clients' access.  Of course when one of the clusters fails all will use the healthy one and the infrastructure in both DCs must be accessible.

Right now we are testing the following: vpn client is connecting to cluster2 but in the Smart Monitor we see connected to cluster2's IP, received an IP from the  cluster2's pool, but in Gateway  - cluster1. Using vpn tu in cli we see the customer's IP (from cluster2's pool) in both clusters. When doing test traffic we see it entering in cluster1 (doesn't matter the client is connected to cluster2), reaching the destination device, but trying to exit via cluster2 and of course it's dropped because of an asymmetric route. 

In the infrastructure there is no dynamic routing. Right now there are configured static routes for the cluster1's and cluster2's pools to point to the respected device.

Cant' find any documentation explaining why the vpn connects to cluster2 but the traffic arrives at cluster1. MEP and Secondary connect are not configured.

Is this an expected behavior? Should we split the common policy in two for every cluster? We are aware of that if we change the static route in the internal infrastructure to point to only one of the clusters all will work but this is not the goal here.

Thanks in advance.