Q: Why can't users behind a departmental Checkpoint talk with devices behind the Checkpoint cluster when both fwalls are on the same backbone segment?

A:

Just as a Checkpoint cluster cannot communicate with Cisco routers, it also cannot communicate with other Checkpoint firewalls by default! The other firewall will not accept a multicast address as an ARP reply. The solution is to go into Voyager on the other firewall and, in the ARP configuration page, turn on "Accept multicast ARP replies". This must have been a problem for a long time; I found the following on a Nokia KB article from 2000:

By default, IPSO will not communicate with broadcast or mulitcast MAC address via either a dynamic ARP entry or a static ARP entry. When it sees a multicast or broadcast ethernet address being deseminated via arp, IPSO responds with the error: arp: ether address is broadcast or multicast --snip-- To enable IPSO to use received multicast MAC addresses, go to the ARP configuration page in Voyager. Select on for the option Accept multicast ARP replies. This option appears to be available in IPSO 3.2 and later.

This is similar to the communications problem between the Cluster and Cisco routers noted earlier here.