Dear CheckMates,

We encounter some strange behavior after the migration of our checkpoint cluster.

We changed the hardware from Check Point 5600 to Check Point Quantum Force 9100 appliances.

The steps we have taken for a successful full migration are:

Current state -> A is active, and B is stand-by

1. [5600 B] Poweroff the R81.20 the standby cluster member (5600 B)
2. [9100 B] Connect to R81.20 new member and configure interfaces and routes,... with the same settings from the old [5600 B].
3. Install SIC, add license, change cluster version, fix cluster member topology, install policy on gateway [9100 B] (remove flag "if fails")

     [5600 A] remains active

4. [5600 A] Poweroff the R81.20 appliance (5600

5. The [9100 B] become active

6. [9100 A] Connect to R81.20 new second member and configure interfaces and routes, with the same settings as the old [5600 A]

7. Install SIC, add license, fix cluster member topology, install policy on both new gateways (add flag "if fails")

After the successful migration we encounter that there is no ping traffic through the VPN Tunnels of the VPN Community. The VPN Community are branch offices with Check Point devices.

We pushed to all the Check Point the correct policy set.

So, after some digging, we see that the ICMP traffic is routed through the VPN tunnel but not receiving on the other side. Other Protocols such as SSH or https are working fine but no ICMP. 

The old cluster is running on R81.20 JHF take 86 the new cluster is running on R81.20 JHF take 92.

That’s the only difference between the cluster’s devices. due to a short migration we could not update the devices to take 96. 

So have some one any ideas ?!

Thanks for helping,