Sonicwall NSA 240 VPN Setup and Router Failover

My Sonicwall NSA240 has a VPN tunnel to our main office NSA 3500 which works fine.  However I would also like to have as a backup our other router which is for a point to point t1 that is setup between our sites. Both are routing our local network . I have a static route pointing to the T1 router for the desination network at our main office of  I also have checked allow VPN path to take precedence in the static route settings, and it seems to be doing this.  However when I disable the VPN tunnel, traffic does not appear to flow to the T1 router.  What am I missing here? I have the router connected to the X2 interface of the sonicwall.  It does not have an assigned zone, because when I enter that it's asking for static IP settings. so I left it unassigned.  I also tried plugging in directly to the switch, and it still does not appear to route traffic over it.  I want to use the T1 router as a failover if then VPN tunnel ever goes down (due to loss of WAN connectivity).
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

To route over the T1, you'd need to provide some kind of gateway for the traffic. You'd have to have a router provided by the vendor of the p2p T1. On the LAN of the router, what's the IP address you've assigned? You'd use that in the static route, which I assume you've done. Or, you could create a new subnet and new zone on the X2 interface.

Additionally, you'd need to configure the routing on the other end as well. The other end would need to know what to do with the traffic as it came out the T1. Otherwise, you're not going to get ping replies and it will seem like traffic isn't flowing over the T1.
fireguy1125Author Commented:
The routing over the T1 is already setup, both ends have a Cisco 1721 router, with the remote site (with NSA 240) having the FE/0 interface assigned and the HQ (site with the NSA 3500) has the Cisco 1721 FE/0 assigned  Previously these 2 routers were both just plugged into the switches at each site, and in the sonicwall we had a static route setup, and it was working fine.

So as I understand, the static routes need to remain in place on the sonicwalls respectively? How would this be setup in a failover condition? I would not want traffic to flow over the T1 when the VPN tunnel is online and active. This is especially the case when the reply time between the routers over the T1 is 5ms, but over the VPN is 20-30ms.  
Thanks for the extra details. Yes, you'd need to maintain the routes on either end. From experience, I've seen that having the secondary Internet connection (like your p2p T1) on it's own interface and zone worked the best. We've had issues with this in the past in that we'd have Internet trouble at one end and that end would route over a T1 connection, but the other end would think the VPN was still online. It would then try to route over the VPN. It doesn't work well like that. This was on a much older firmware.

You are disabling the VPN, but I'm not sure that's what is going to trigger routing to the T1. You may need to remove the network cable from the WAN interface to cause the failover to work properly.

What firmware are you running at. With the latest frmware, you can setup a probe on your route to actively determine if the connection is up or down. Theoretically, if the VPN goes down, then one end or the other is experiencing a Internet loss. The probe would help monitor the connection more actively.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.