For a number of years we have quite happily maintained a two tier structure consisting of a failover pair of 535's on the inside, a 'no man's land' lan in the middle and a failover pair of 515's on the outside of our WAN infrastrcuture. All that exists in the no man's land is a switch with no VLAN's into which the outside interfaces of the 535's plug into and the inside interfaces of the 515's. The logical setup for this LAN is a class C RFC 1918 range.

Now we have added two more 515 pairs to this LAN and this is where the odd problems are starting. The exiting pair have carried on working fine. Both of the new Primary 515's, configured in standalone mode also seem fine from the network inside the 535's, although if we try to ping them from the switch the first ping works and then the rest fail. Investigation reveals that after the first ping, the mac address in the switch arp table is that of the outside interface of the 535.

Configuring failover and turning the secondary pix's on just seems to make things worse so they're simply sat in standalone mode at the moment with a very basic test configuration on. We've rebuilt them from scratch a couple of times confirming that the details are correct and have had just one new primary connected to make sure they're not interfering with each other in anyway.

Any ideas why the 535's are picking up the ip addresses of the new 515's? I think this is the cause of all our problems. All new devices are at 6.3.3, definately have an inside IP address in the class C of the intermediate lan and currently have a default route back to the 535's.