We have FW-1 NG FP3 R55 on Nokia IPSO. VRRP has been enabled and the cluster properties have been set to Synchronise State Table, but nothing happens. When we test failover (i.e. pull out a network cable) the VRRP works but the FTP session is lost, indicating that the state table replication didn't work. The user simply needs to start the FTP session again.
Also, on the network (x-over) for replication there is no traffic showing, either on TCPDUMP or on the Nokia Interface summary, indicating that FW-1 has not attempted to replicate the information. The policy has been pushed to the firewalls several times since making the changes in Smartcenter.
2) Are you using any HFA? HFA_04 or HFA_05 or HFA_06? How about IPSO? What version? IPSO 3.7.1 build 010?
3) Under the gateway cluster object, what do you use? I think the default is "OPSEC". You have to change to "Nokia VRRP".
4) Under the "Synchronization" tab, did you specify the "crossover network" as the network for the statefull sync?
5) The crossover interface for statefull sync has to be, at least, in the /28 network. In checkpoint 4.1, you can get away with a /30 network. In NG, it has to be at least /28. For example, the IP for the crossover for the primary is 10.1.1.1/28 and secondary is 10.1.1.2/28
After making all these changes, repush policy and you will see that it will work.
Have you double checked that CPHA State sync is enabled in cpconfig? You need to do this as well as define the network in the State Synchronisation tab. It should be set if its a fresh install but we've done a couple of upgrades where it needed to be re-enabled.
