Hoping for some help. I am running 3 clusted vSRX (version 18.4R2.7) on ESX6.5 with connections running to a C3750G switch running vlans between the 2 esxi hosts. In trying to understand the vSRX I changed the SRXs to flow-based from packet-based and now FW1 seems to not route traffic to the Cisco switch not allow anything outside it's subnet. See config for FW1 below. I expected it to be security issue but I have it completely open. From FW2 I can run a traceroute to 17.27.1.102 (my lab PC) off of FW1 and it stops at FW1. If I turn back on packet-based forwarding I'm able to ping across. I expect the traffic to flow across the Mgmt_Link/reth1 between the FWs. I have 2 clustered FWs on the one ESXi host that seems to work fine but across hosts seems to give me issues.
set groups node0 system host-name Site1_Node0
set groups node1 system host-name Site1_Node1
set apply-groups "${node}"
set system login user barberde uid 2005
set system login user barberde class super-user
set system login user barberde authentication encrypted-password
set system root-authentication encrypted-password XXX
set system services ssh root-login allow
set system services ssh protocol-version v2
set chassis cluster reth-count 5
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 2 node 0 priority 200
set chassis cluster redundancy-group 2 node 1 priority 100
set chassis cluster redundancy-group 3 node 0 priority 200
set chassis cluster redundancy-group 3 node 1 priority 100
set chassis cluster redundancy-group 4 node 0 priority 200
set chassis cluster redundancy-group 4 node 1 priority 100
set security forwarding-options family mpls mode flow-based
set security policies default-policy permit-all
set security zones security-zone ALL host-inbound-traffic system-services all
set security zones security-zone ALL host-inbound-traffic protocols all
set security zones security-zone ALL interfaces all
set interfaces ge-0/0/0 description fab0
set interfaces ge-0/0/1 gigether-options redundant-parent reth1
set interfaces ge-0/0/2 gigether-options redundant-parent reth2
set interfaces ge-0/0/3 gigether-options redundant-parent reth3
set interfaces ge-0/0/4 gigether-options redundant-parent reth4
set interfaces ge-7/0/0 description fab1
set interfaces ge-7/0/1 gigether-options redundant-parent reth1
set interfaces ge-7/0/2 gigether-options redundant-parent reth2
set interfaces ge-7/0/3 gigether-options redundant-parent reth3
set interfaces ge-7/0/4 gigether-options redundant-parent reth4
set interfaces fab0 fabric-options member-interfaces ge-0/0/0
set interfaces fab1 fabric-options member-interfaces ge-7/0/0
set interfaces fxp0 unit 0 family inet address 17.27.1.1/24 master-only
set interfaces lo0 unit 0 family inet address 192.168.1.25/32
set interfaces reth1 description MGMT_10.10.10.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 10.10.10.1/24
set interfaces reth2 description C-EXT_17.131.2.38/24
set interfaces reth2 redundant-ether-options redundancy-group 2
set interfaces reth2 unit 0 family inet address 17.131.2.38/24
set interfaces reth3 description S-EXT_17.176.2.38/24
set interfaces reth3 redundant-ether-options redundancy-group 3
set interfaces reth3 unit 0 family inet address 17.176.2.38/24
set interfaces reth4 redundant-ether-options redundancy-group 4
set interfaces reth4 unit 0 family inet address 17.27.1.1/24
set protocols ospf area 0.0.0.0 interface reth1.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set routing-options static route 0.0.0.0/0 next-hop 10.10.10.2
set routing-options static route 172.27.1.0/24 next-hop 10.10.10.100
set routing-options router-id 192.168.1.25