Hmm, I do not think I have redundant default routes. Here is the ini that I am deploying with. I made some cosmetic changes to not reveal customer information, but this is how it's being deployed. I have fallen back to version 3.2 for now and as long as I do not restart the appliances the UAGs are fine. If I restart them, their routing tables become corrupted, which you then have to go into YAST and delete the three IPs and re-add them. After that the UAG is fine again. No reboot required, just delete and re-add the IPs. I would really rather move up to the 3.3 version, but I cannot get it to route at all. Thanks!
[General]
#
# UAG virtual appliance unique name (between 1 and 32 characters).
# If name is not specified, the script will prompt for it.
#
name=A01-UAG-PCI-01
#
# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware
#
source=C:\APs\euc-unified-access-gateway-3.3.0.0-8539135_OVF10.ova
#
# target refers to the vCenter username and address/hostname and the ESXi host for deployment
# Refer to the ovftool documentation for information about the target syntax.
# See https://www.vmware.com/support/developer/ovf/
# PASSWORD in upper case results in a password prompt during deployment so that passwords do not need
# to specified in this .INI file.
# In this example, the vCenter username is administrator@vsphere.local
# the vCenter server is 192.168.0.21 (this can be a hostname or IP address)
# the ESXi hostname is esx1.myco.int (this can be a hostname or IP address)
#
target=vi://administrator@vsphere.local:PASSWORD@10.76.10.19/TEST/host/INT
#
# vSphere datastore name
#
ds=AP1_VMW_INT_VMFS03
#
# Disk provisioning mode. Refer to OVF Tool documentation for options.
#
#diskMode=thin
#
# vSphere Network names. For pre 3.3 UAG versions, a vSphere Network Protocol Profile (NPP) must be associated with every referenced network name. This specifies
# network settings such as IPv4 subnet mask, gateway etc. UAG 3.3 and newer no longer uses NPPs and so for static IPv4 addresses a netmask0, netmask1 and netmask2
# value must be specified for each NIC. Normally a defaultGateway setting is also required.
#
netInternet=DPG_VL2595_DMZ_PCI_1
netManagementNetwork=DPG_VL2699_DMZ_Trusted-Load-Balancer
netBackendNetwork=DPG_VL2596_DMZ_PCI_2
defaultGateway=10.91.5.1
#deploymentOption=onenic
#ip0=192.168.0.90
#netmask0=255.255.255.0
#routes0=192.168.1.0/24 192.168.0.1,192.168.2.0/24 192.168.0.2
#deploymentOption=twonic
#ip0=192.168.0.90
#netmask0=255.255.255.0
#ip1=192.168.0.91
#netmask1=255.255.255.0
#routes0=192.168.1.0/24 192.168.0.1,192.168.2.0/24 192.168.0.2
#routes1=192.168.3.0/24 192.168.0.1,192.168.4.0/24 192.168.0.2
deploymentOption=threenic
ip0=10.91.5.10
netmask0=255.255.255.0
ip1=10.91.100.12
netmask1=255.255.255.0
ip2=10.91.6.10
netmask2=255.255.255.0
routes0=10.91.5.0/24 10.91.5.1
routes1=10.91.100.0/24 10.91.100.1
routes2=10.91.6.0/24 10.91.6.1
dns=10.76.15.12
syslogUrl=syslog://logging.secure.com:514
#
# Setting honorCipherOrder to true forces the TLS cipher order to be the order specified by the server. This can be set on
# UAG 2.7.2 and newer to force the Forward Secrecy ciphers to be presented first to improve security.
#
honorCipherOrder=true
#
# sessionTimeout value in milliseconds. Default is 36000000 (10 hours). When the session timeout expires,
# the user needs to login again.
#
# 11 hours
sessionTimeout=39600000
[SSLCert]
#
# From UAG 3.0 and newer, you can specify the name of a .pfx or .12 format certificate file containing the required certificate and private key and
# any required intermediate certificates. In this case there is no need to use openssl commands to convert the .pfx/.p12 file into the
# associated PEM certificates file and PEM private key file.
#
pfxCerts=C:\APs\certs\secure-WC.pfx
#
# If there are multiple SSL certificates with private key in the .pfx file you also need to specify an alias name in order to select the required certificate.
# This is not necessary if there is only one SSL certificate with private key in the file
#
#pfxCertAlias=alias1
#
# The following pemCerts and pemPrivKey settings are only needed if you don't have a .pfx/.p12 file and want to directly use the two PEM format files.
#
# pemCerts refers to a PEM format file containing the SSL server certificate to be deployed. The file should also contain any
# required intermediate CA and root CA certificates.
#
#pemCerts=sslcerts.pem
#
# pemPrivKey refers to a file containing the RSA PRIVATE KEY for the SSL server certificate in the above certificate file.
#
#pemPrivKey=sslcertrsakey.pem
#
# From UAG 3.2 and newer, you can specify a certificate for the admin interface on port 9443. It is in the same format as [SSLCert] above.
#
[SSLCertAdmin]
#pfxCerts=sslcerts.pfx
#pemCerts=sslcerts.pem
#pemPrivKey=sslcertrsakey.pem
[Horizon]
#
# proxyDestinationUrl refers to the backend Connection Server to which this UAG appliance will connect.
# It can either specify the name or IP address of an individual Connection Server or of a load balanced alias to connect
# via a load balancer in front of multiple Connection Servers.
#
proxyDestinationUrl=https://view.secure.com
#
# proxyDestinationUrlThumbprints only needs to be specified if the backend Connection Servers do not have
# a trusted CA signed SSL server certificate installed (e.g. if it has the default self-signed certificate only).
# This is a comma separated list of thumbprints in the format shown here.
#
proxyDestinationUrlThumbprints=ba 30 64 e4 b9 26 33 1b 38 4b 27 39 ce e6 63 f8 f3 5d 8b 58
#
# The following external URLs are used by Horizon Clients to establish tunnel, HTML Access and PCoIP connections
# to this UAG appliance. If they reference a load balancer name or address then the load balancer must be
# configured for source IP hash affinity otherwise the connections may route to the wrong UAG appliance.
#
tunnelExternalUrl=https://view.secure.com:443
blastExternalUrl=https://view.secure.com:443
#
# pcoipExternalUrl must contain an IPv4 address (not a DNS name)
#
pcoipExternalUrl=9.46.93.84:4172
