I have an Exchange 2013 DAG which is connected over a Site-to-Site VPN.  Replication works without issue and there is communication between the DAG members on numerous UDP and TCP ports.  The only issue is the cluster heartbeat on UDP 3343.  This is blocked and shows in the security log as "Connection contains real IP of NATed address".  It also shows as the WAN interface and being blocked by the firewall.  All other traffic from the blocked server shows as the LAN interface and being allowed by VPN.  It appears that the UDP 3343 traffic is not being sent over the VPN, although my expertise is limited and I may be misinterpreting that. 

I'm fairly certain this is a configuration issue as I didn't have this issue before I upgraded the Checkpoint software and reconfigured the appliance.  

Any assistance is appreciated.  Please don't be too technical as it will go over my head 🙂 

Thanks.