By checking Checkpoint Support Site, Checkpoint's explanation is "this is expected behavior. Connections to the Standby cluster members are not supported in HA clusters, by default."
Here are some troubleshoot I did.
While I am pinging from pc 10.9.30.14 to standby member 172.17.30.44, I got echo timed out. But 172.17.30.43 replied back
Check the drop packets from Active member 172.17.30.43, it seems the packets dropped by active firewall.It did not pass the traffic to standby member.
[Expert@CP1:0]# fw ctl zdebug drop | grep 10.9.30.14
;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=1 10.9.30.14:2048 -> 172.17.30.43:19538 dropped by fwchain_reject_mtu Reason: rejected;
;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=1 10.9.30.14:2048 -> 172.17.30.43:19537 dropped by fwchain_reject_mtu Reason: rejected;
;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=1 10.99.30.14:2048 -> 172.17.30.43:19536 dropped by fwchain_reject_mtu Reason: rejected;
Note: during the research, also SK97587 mentioned "in some cases when the traffic originates from the standby member, return traffic is forwarded from the VIP to the active member, which drops that traffic."
My old post "Check Point Cluster Member Gateway Drops Ping Packets Without Log in Smartview Tracker" has a similar symptoms as this case, but cause is different. The solution is enable simultaneous ping parameter in the kernel by this command: fw ctl set int fw_allow_simultaneous_ping
Resolution:
[Expert@CP1:0]# fw ctl get int fwha_forw_packet_to_not_activefwha_forw_packet_to_not_active = 0
When this parameter is set to "0", packet forwarding will NOT be done to a non-active member.
Instead, a reset packet will be sent to the client.
Set following command on both Cluster Members:
# fw ctl set int fwha_forw_packet_to_not_active 1
With following command you can verify the setting:
# fw ctl get int fwha_forw_packet_to_not_active
To set it permanently to survive reboot, add this line to the file $FWDIR/boot/modules/fwkern.conf :
fwha_forw_packet_to_not_active=1
Then reboot. Perform this on both cluster members.