Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SonicWALL WAN FailOver Outbound NATs

Posted on 2011-02-23
9
Medium Priority
?
3,634 Views
Last Modified: 2012-06-21
We have a SonicWALL NSA240 firewall enhanced firmware and are attempting to setup FailOver on two internet WAN connections.  Currently we already have the FailOver working to the point of automatically switching over the internet connections when the primary internet connection goes down, we also have already setup all of the NAT inbound rules, the firewall rules, and DNSMadeEasy.com for FailOver to switch over the DNS records as we have a mail server and a couple of websites internal.

The part that we are stuck at is how to make the outbound NAT rules fail over as well.  Currently what happens if the internet goes down is that everything works properly except when for example the mail server responds it uses the original primary connections static internet address to send traffic outbound as the original NAT rule tells it to which I assume will drop the traffic as the primary internet static IP would not be active.  We could potentially just use the primary WAN IP which would change dynamically when the WAN changes, but we also have about 3 web sites internally, we could use different ports, but it seems the SonicWALL would support this.

How do we make the outbound NAT failover as well?
0
Comment
Question by:maxtexgr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34962259
that sounds more of an issue with your route.  when the connection is down, there should be a route that indicates which default gateway to send traffic out of.  of course, you should have a NAT policy for egress Exchange traffic and i'm guessing you have one.  when your primary internet is down, there should be a route that will send traffic out the secondary gateway.

did you setup a secondary gateway?  which option under failover did you select?

configure secondary gateway:


https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7781
0
 

Author Comment

by:maxtexgr
ID: 34965118
Thanks for your reply.

The secondary gateway has already been setup, the setup was similar to the link you posted which automatically during the process setup the routes needed for the basic traffic going outbound.  The failover method we choose was Basic Active/Passive FailOver.  The internet works when the primary internet connection goes down, but our mail servers and web servers do not due to the outbound NAT issue, which is what the problem is.

The current NAT rule for the primary server says anything coming out from our internal Exchange address on port 25, 80, 443 go out on our static 205.xxx.xxx.xxx which belongs to our primary address.  When the primary goes down and and our statics switch over to 204.xxx.xxx.xxx this NAT rule causes the Exchange server to respond on a different IP then it was sent the traffic on, the MX record is updated through DNSMadeEasy, and that causes the packet to be dropped.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34965157
do you have the secondary public IP configured in your mx record?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:maxtexgr
ID: 34965200
Yes
0
 
LVL 33

Expert Comment

by:digitap
ID: 34966866
i can understand how it would fail initially after the failover.  when the sender's mail server realizes that the primary IP of the MX record is not responding, it should pickup on the second, right?  at this point, it would succeed.  sorry if i'm being dense in understanding.
0
 

Author Comment

by:maxtexgr
ID: 34967295
The sending mail server would try to connect on the secondary mx, the traffic would get to the receiving server and when the server tried to respond it would respond on a different ip than what it was sent the traffic on, that ip would be the non failover outbound nat ip and since the sonicwall doesn't have the primary internet connection up it would not allow the traffic out.  Let's say even if it was smart enough to realize the primary internet was down and it responded on the fail over inet connection it could still respond with the wrong ip, we might want to use a different ip in the block then what the wan int is using, and the original sending server would drop the traffic once it received it as its the incorrect address and doesn't match that which it sent to.
0
 

Accepted Solution

by:
maxtexgr earned 0 total points
ID: 34973040
After looking at the NAT rules more all we really needed to do was specify the interface on the original NAT outbound rules as X1 for the interface destination and vice versa on the fail over NAT outbound rules to X2.  So if the primary connection is down the other rule is used which accomplishes what we are looking to do.  Can't believe I didn't see this sooner.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34973205
yes, that is frustrating. i've done that before. without seeing the rules myself, this is one of those small details that's easy to overlook. glad you got it!
0
 

Author Closing Comment

by:maxtexgr
ID: 35005291
We answered our own question.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question