Netcreen 208's active/active cluster

[esexon1]

I have setup a active/active cluster using Netsreen 208's running os.5.0.0r8.0

The netscreen is configured as follows:
ethernet1 0.0.0.0/0 Untrust Layer3 active Edit
ethernet2 0.0.0.0/0 Untrust Layer3 active Edit
ethernet3 0.0.0.0/0 Trust Layer3 active Edit
ethernet4 0.0.0.0/0 Trust Layer3 active Edit
ethernet5 0.0.0.0/0 DMZ Layer3 active Edit
ethernet6 0.0.0.0/0 DMZ Layer3 active Edit
ethernet7 0.0.0.0/0 HA Layer3 up Edit
ethernet8 0.0.0.0/0 Null Unused down Edit

redundant1 x.x.x.x/26 Untrust Redundant active Edit
redundant1:1 x.x.x.x/26 Untrust Redundant inactive Edit
redundant2 192.168.168.1/24 Trust Redundant active Edit
redundant2:1 192.168.168.2/24 Trust Redundant inactive Edit Remove
redundant3 192.168.169.1/24 DMZ Redundant active Edit
redundant3:1 192.168.169.2/24 DMZ Redundant inactive Edit Remove
vlan1 0.0.0.0/0 VLAN Layer3 inactive

Netscreen A - VSI 0 = 1
Netscreen B - VSI 0 = 100
Netscreen A - VSI 1 = 100
Netscreen B - VSI 1 = 1

The 2 netscreens are cabled in a full mesh with 2 Cisco 2950's
The Cisco switches are trunked and each consist of 3 vlans'
Vlan 2 - Untrust
Vlan 3 - Trust
Vlan4 - DMZ

Plugged into the switches are debian servers running bonded (teamed) interfaces.

DB 1 - Debian ( trust)
IP 192.168.168.10
GW 192.168.168.1

DB 1 - Debian can ping
192.168.168.1
192.168.168.2
192.169.169.1
but not 192.169.169.2??

Web 1 - Debian (DMZ)
IP 192.169.169.10
GW 192.169.169.1

Web1 can ping
192.169.169.1
192.169.169.2
192.168.168.1
but not
192.168.168.2??

Everything else is working fine except for not being able to ping all 4 gateways configured on the firewalls. I have tried pinging from the switches but I get the same problem.

I have never setup active/active before so I was wondering whether this was the default behaviour.

Has anybody else got any ideas.
Thanks
Evan

 

[Packet7]

Hello,

What happens when your Trace? Do they default out one of the Firewalls?

Rgds,

John