Thank you to everybody who has commented. Checkpoint Support came back to us last night, it looks like we have a mismatch in encryption.
We re added the clients 3100 to our management server after updating all the ip's to new ones as a possible alternative. Last week checkpoint support removed the device in case it was causing a conflict.
When testing we got the vpn connection but the connection to the lan was not working. After 15 minutes I then started to get a response to a ping to a local device.
Last night I did some changes on the GW, under IPSec VPN, Traditional Mode. The bellow screen shots are from our 3100 device:
Advanced Tab
If I click okay it gives me an error "check one data integrity method", so I have clicked cancel, and if I open it again I get the same.
In my testing last night I cleared the traditional mode on cluster settings as they had all been ticked, then tried to set it to what windows l2pn connection wanted then matched it to what the 3100 showed as we could establish the connection to that device.
The cluster shows the following under Traditional mode IKE Properties:
Under Advanced settings, I have only selected group 2, previously 19 and 20 where also ticked.
The 3600 member's had new IP Addresses assigned to their network ports and we changed the main ip address on the 3100 and unplugged it from the network when we added the virtual Ip addresses on the cluster to match the 3100 ip addresses.
The cluster virtual IP column is what we had on the 3100 device.
In my testing the vpn to the 3100 on a different public ip is working today as it always use to. The vpn to the cluster and the normal public ip does nothing. It almost looks like the policy for the Gateway settings are not applying properly. The 3100 was our main firewall, which was replaced with 2 3600 in high availability mode.