Solved

Why does the SonicWall router not function properly for serving on WAN failover?

Posted on 2010-08-24
15
4,055 Views
Last Modified: 2013-12-14

We have had 2 internet connections installed, from 2 different ISP’s, for redundancy on our company router, which is a SonicWall TZ 210. It is set up with static IP’s for both WAN interfaces, and we are using Dynamic DNS to point our DNS hostname at whichever connection is functioning. That part is operating fine. When the primary ISP goes down, the secondary kicks in, and we can surf the internet just fine. Both ISP connections are business connections and allow serving. I have been able to connect to the router over HTTPS, from either one of them, from outside the network. However, I noticed our services (like e-mail, etc.) do not work when switched over to the secondary connection. (That is, it does not receive mail. You can’t connect to the server from outside. Etc.) I thought it was something to do with the mail server, but I can’t connect to other services that are inside the network, so I started to wonder if the SonicWall was set up right.

Under NAT policies, I have noticed it says “WAN Primary IP” in the rules for the services we are trying to use. So, it would seem these public server policies are not set up to allow these services on the secondary WAN. Does this make sense to those of you who know SonicWall? How can we change the configuration, so that it will automatically work when the router changes over to the secondary ISP?  Will it function properly, if I just create a second set of public server rules, when it is running on the secondary connection?  Your help is much appreciated in advance. Let me know if more information is required.
0
Comment
Question by:gs-rho
15 Comments
 
LVL 3

Expert Comment

by:DeltaR7
ID: 33508534
You mentioned you use dynamic DNS, when the failover kicks in, have you already tried using the fix IP address.
Due to the Dynamic DNS, there is some time needed to propagate the new IP address to the internet.
It is normal you can surf without issue as you use the DNS server of your provider.
0
 

Author Comment

by:gs-rho
ID: 33508583
Thanks for your response.

Is "fix IP address" a utility/tool/option?

At any rate, I checked into this, but failed to mention it. We are using Dyn DNS Custom Hosting. It has been configured with a very short TTL, so it really doesn't take long to propagate. I tested this from outside the network on a laptop, and I found the DNS hostname was changing over to the IP address in use successfully. When it is using the IP from the primary ISP, I can access the services. When it is using the IP from the secondary ISP, I cannot access the services (although I can log into the router in either case over HTTPS... it's working). In both cases, I'm not actually using the IP to access it, but the DNS name. I run a ping agains the DNS name, to test when each is active. This is my attempt to convey that I have tested this thoroughly. I am now quite convinced that that part is working, and it is something to do with the router forwarding the services. Hopefully, this makes sense.
0
 
LVL 3

Expert Comment

by:DeltaR7
ID: 33508627
if you have tested this, and it works you may want to review the sonicwall config.
Check if ports (RDP, OWA, ...) are properly forwarded to the correct IP addresses and also make sure those ports are opened on the WAN interface.
also note you cannot use port 443 (https) twice. (for example for OWA) Or you use it to manage your router or you forward the port to your server for other services.
To overcome this issue, map port 8888 ( or some other higher port number) to 443 on your server.

I also know some providers block ports under the 1024 range. But as you mentioned, with a business connection this should'nt be a problem.
0
 

Author Comment

by:gs-rho
ID: 33508681
DeltaR7,

Check...  RDP and OWA work properly when the router is running on the primary ISP connection. I have checked these.

Check...  the HTTPS that I am referring to when logging into the router is an alternate port. No problems with OWA (443) and router console login, on primary ISP connection. On secondary ISP connection, I can log into the router on that alternate port, but I cannot log in to OWA, on 443.

both these ISP connections have been confirmed as server-purpose connections.

Thanks.
0
 

Author Comment

by:gs-rho
ID: 33508690
As you say, I felt I should review the SonicWall config. That is where I found the interesting note in the NAT policies, where I noticed it says “WAN Primary IP” for the source. This makes me think there is no recognition of the secondary WAN connection in these rules for Public Services on the SonicWall. Unfortunately, this comes up against the far end of my knowledge with SonicWall. I do not know how to proceed to make sure it is configured to use the secondary connection for Public Services... or else I'm totally on the wrong track.
0
 
LVL 3

Assisted Solution

by:DeltaR7
DeltaR7 earned 150 total points
ID: 33508743
I was under the impression you had 2 routers, one being the Sonicwall..

nevertheless, this is indeed your problem, the second IP address has no proper NAT rules.

I found follwing manual :
http://www.sonicwall.com/downloads/SonicWALL_TZ_210_Series_Getting_Started_Guide.pdf
starting on page 55, there is the setup you have and explanation.
 
0
 

Author Comment

by:gs-rho
ID: 33508774
Just the one SonicWall TZ 210. Thanks. I'll check out the config, according to the manual and get back to you.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 8

Accepted Solution

by:
jimmyray7 earned 350 total points
ID: 33511786
You're right about the WAN Primary IP, but before we go down that road, are your MX records for email set to point to both IPs?  If not, it doesn't matter what you fail over to, email won't get sent to a second IP.  That would mean you can send email, but wouldn't receive any replies.

If the MX records are okay, then we can try changing the firewall rules.  I would go under Network->Network Objects and create a new group called "Public Server IPs" or something else you'll remember.  Put the WAN Primary IP and the Secondary WAN Primary IP in this group.  Now change all the Firewall rules and NAT policies that use "WAN Primary IP" to use the group you just created.  You should be able to access services from both IPs now.

Let me know how it goes.
0
 

Author Comment

by:gs-rho
ID: 33519506
Thanks, jimmyray7. I'll try that out and get back to you.
0
 
LVL 2

Expert Comment

by:pmanno
ID: 33524384
I have a similar setup. As Jimmyray7 mentioned, you should have two MX records.  The first, with a priority of 0 pointing to your primary IP address (issued by your primary ISP).  The second with a priority of 20 pointing to your secondary IP address (issued by your secondary ISP).
0
 

Author Comment

by:gs-rho
ID: 33597566
Sorry, ran into a delay. Gonna look into this right away.
0
 

Author Comment

by:gs-rho
ID: 34059151
Sorry that took so long...

I couldn't get this working for the longest time. I had to actually update the router firmware to 5.6.x to overcome a glitch/issue.

I didn't have to create a new address group, as the existing "WAN Interface IP" served fine as it incorporates the IPs on the WAN interfaces. I replace "Primary IP" with that.

Under NAT Policies, I made these changes for all the rules that involved the custom services, but the rules that started with the custome service internal IPs as the Original Source, they wouldn't change to WAN Interface IP. They gave me an error that said " Error: Source translation few:many not supported". I couldn't find anything on that. But eventually I went on and reprogrammed the firewall rules as well, and in the end, I guess I didn't need to change the ones that wouldn't change as the services worked fine, when using either ISP. The failover service is successfully setup.

0
 

Author Closing Comment

by:gs-rho
ID: 34059161
Issue solved.
0
 

Author Comment

by:gs-rho
ID: 34059165
If anyone has any feedback on :  

error that said " Error: Source translation few:many not supported". I couldn't find anything on that.

...that would probably be helpful, to one or two people. thanks.
0
 

Expert Comment

by:FreeSoldier
ID: 39172345
gs-rsho,

I have the excat same problem. Rules were created with the Wizard on TZ 210.  I have the Failover & LB setup as "Basic Failover". When my X1 goes down and X2 becomes the live/primary  internet connection, I can NOT access the services anymore.
Could you please be more specific as to which rules you changed ?

Many Thanks
Best
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now