Hello All.
We are investigating an odd behaviour and i wanted to reach out to see if anyone is seeing similar issues.
We have an MX100 as a one arm concentrator for our topology, this MX100 is behind a High Availability Firewall that does 1-to-1-NAT for this MX100.
When we fail over from physical Firewall 1 to Firewall 2 the MX100 stop working and says, Bad internet, disabled Gateway.
if we then change the external address , the device works again, but if we fail back to Firewall 1 then the device stop working again.
we have a lot of services running behind this firewall and they all work.
Any Ideas?
On your HA pair, do you have a virtual IP setup? Is your MX pointing at that VIP or is it pointing directly to the IP of one of the fw?
Yes, there is a Virtual IP set up on the Firewalls. And the firewalls are in Sync and both keep track on sessions.
Okay. When you say change the external address, is that the outside address on your 1:1 NAT?
This sounds like a failure of UDP NAT. Are the HA firewalls syncing the UDP NAT table?