Q: How do I get my Cisco router to communicate with the IP of my Checkpoint active/active cluster?

A:

A Cisco router will not be able to communicate with a Checkpoint cluster at the cluster IP address without special help. This is because on the Checkpoint the cluster IP is bound to a multicast MAC address, and either the Checkpoint cluster by default fails to answer ARP broadcasts looking for that cluster IP, or the Cisco router refuses to accept or recognize the ARP replies. One way around this is to figure out the MAC address associated with that multicast address, and put a static ARP entry on the Cisco device associating that multicast MAC with the cluster IP (which is not a multicast IP). Here's how:

1. Find out the multicast IP address associated with the cluster IP with which you need to communicate. The multicast IP can be found by logging into Voyager as cluster admin, and going to the same "cluster configuration" where you assigned the IP addresses. The multicast address is shown in the right column of the IP address assignment form.
2. As you know, any multicast IP address can be directly converted to a multicast MAC address by masking off the leftmost 5 bits of the IP, taking the remaining 23 bits of the IP, and ORing them with 0x01001e7f0000. See here for a quick explanation of this.
3. At the Cisco device, put in a static ARP entry using the command arp {unicast cluster IP} {multicast cluster MAC}.

You have to put in a static ARP entry for every IP address that the Checkpoint is supposed to be listening on. This means if the Checkpoint is doing NAT for a whole bunch of addresses, you'll have to be very careful to add a static ARP entry on the Cisco for each of them. They will all be at that same multicast MAC address you calculated. [Update] Nokia/Checkpoint clusters do not even communicate with other Nokia/Checkpoint firewalls by default! I've logged this as a separate FAQ: here.