The default gateway's IP address is used as the isolation address by HA. Did you deny ICMP only for the default gateway of did you deny it at all? If it is just denied for the default gateway you may configure another reliable isoalation address which can be used by HA.

Please see the explainations for das.isolationaddress[x] as well as das.usedefaultisolationaddress at e.g. http://www.yellow-bricks.com/vmware-high-availability-deepdiv/

André

MJMSRI wrote:

However, since enabling, our network has been slow and our watchguard firewall has been denying pings constantly from both hosts!!

Are you really sure the network become "slow" from this? It seems incredible strange that a modern network will not be able to handle some ICMP Echos when it should be able to manage traffic throughput hundreds times more.

Do you have a security reason to not allow ping from inside the management network on your router/firewall? I belive the most non-complicated solution is to change the firewall rules in this situation.

Ordinarily, each host in an HA cluster pings each of the isolation addresses once per hour.  If the ping fails, an HA confuguration issue is reported to the UI, and a more aggressive ping is initiated by each host, pinging once every 5 seconds.  The reason for the more aggressive ping is to more quickly resolve the configuration issue once the isolation address(es) once again becomes pingable.

There should be no "flood" of ICMP messages, and it should have little impact on network performance.  The ICMP packet is 53 bytes long and sent once every 5 seconds from each of the HA hosts until the address(es) become pingable once again, at which point it returns to pinging once per hour.

If your default gateway is never pingable because of your firewall, you should open up the ports needed by HA, or disable the isolation address monitoring using advanced options (das.useDefaultIsolationAddress = false).  But doing this means that you will have no protection against a network isolation condition.