I have the following:
<Site1 ClusterXL> <---------Site2Site IpSec Tunnel ------------> <Site 2 ClusterXL>
Member1-Site1: 10.10.171.2/24 Member1-Site2: 10.20.171.2/24
Member2-Site2: 10.10.171.3/24 Member2-Site2: 10.20.171.3/24
VIP: 10.10.171.1 VIP: 10.20.171.1
Site 2 Site Tunnel 1 Encryption Domain: 10.11.171.0/24. Site1 has a Cluster VIP here of 10.11.171.1
Site 2 Site Tunnel 2 Encryption Domain: 10.12.171.0/24. Site2 has a Cluster VIP here of 10.12.171.1
Across that IPSEC tunnel I have a Checkpoint Native VxLan interface pointed at back at the opposite cluster:
Member1-Site1: 172.31.0.2/29 Member1-Site1: 172.31.0.5/29
Member1-Site1: 172.31.0.3/29 Member2-Site2: 172.31.0.6/29
VxLan VIP Site1: 172.31.0.1 VxLan VIP Site2: 172.31.0.4
Remote addr: 10.12.171.1 Remote addr: 10.11.171.1
I then have a route from Site1: route 10.20.171.0/24 via 172.31.0.4
And a route from Site2 back: route 10.10.171.0/24 via 172.31.0.1
This works perfectly. I can reach all hosts on 10.10.171.0/24 or 10.20.171.0/24 from either side - except for traffic headed to the standby member in the ClusterXL on the destination net.
Can anyone shed light on why this might be the case?