• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1353
  • Last Modified:

SonicWALL TZ 190 and WAN failover functionality


I am considering getting business cable plus a dedicated line from two different ISPs and using the WAN failover feature of our SonicWALL TZ 190 to fail over to the dedicated line if the cable connection goes down. Some servers (Exchange, SharePoint, CRM) need to be accessible externally and so they need public IP addresses. The public IP addresses need to belong to the secondary WAN's address space so that if the primary goes down, the IPs are still accessible (if I'm understanding this correctly).

The SonicWALL's help page says this about WAN failover:

WAN Failover and Load-Balancing applies to outbound-initiated traffic only; it cannot be used to perform inbound load-balancing functions, such as what a content switching or load-balancing appliance provides.

Does anyone know how this affects traffic from an external source directed to the secondary WAN (e.g. mail server)? Does the secondary still receive external->internal traffic when WAN failover is using the active-passive configuration? In other words, does a passive secondary mean that only outbound traffic is limited to the primary until the primary fails, and inbound traffic is allowed on both WANs?

In this scenario should I use the active-passive failover configuration, or one of the others like spillover-based or percentage-based?
  • 2
2 Solutions
assuming that the sonic wall will let you setup NAT to the secondary address space then the services  should still be accessible if the primary connection goes down.  

The statement about the outbound means that the Sonicwall can't switch routes for inbound connections.  In other words you can't run Exchange bound to the primary IP and have it failover to the secondary ISP if the primary goes down.  The failover on this switch is primarily designed for making sure the users can still hit the internet if the primary goes down.  It is not designed to host services (Exchange etc.)   To get front end failover you would have to look at some sort of load balancing solution like FatPipe (www.fatpipe.com)
With failover you could still receive incoming mail on the secondary WAN interface by setting MX records at your ISP with a higher priority using that ip address. When it can't get to the first (failed) ip, it will automatically go to the second.

As far as accessing an inside web site or, the dns resolution will still go the one (failed) ip address. However, if you set up a secondary URL that resolves to the backup ip, then that could be used to access the web server. Not automatic, your users would  have to know about it, but it works. Note that you would have to create rules for all things you want to work on the secondary WAN, just like the primary.

As far as sending mail, if your primary ISP allows access to their mail servers from anywhere not on their network, then it should work. Many ISP's block this. Note that things like SPF records and reverse dns lookups could present a problem. However, if you using a mail forwarding service (like TREND), then it should continue to work regardless of which interface the mail comes from.

As far as the failover method, active/passive is the simplest. If you share the load, it is possible that the Sonicwall can send out part of a transaction on one WAN, and another part on the other WAN. Depending upon what you are doing and who is on the other end, this could make what you are doing stop working when it switches. It is possible to lock thing to a single interface, but I don't think the TZ190 has that feature.

Hope this gives you some ideas.
joshvazquezAuthor Commented:
As far as sending mail, if your primary ISP allows access to their mail servers from anywhere not on their network, then it should work. Many ISP's block this. Note that things like SPF records and reverse dns lookups could present a problem.

I may have explained this less than ideally. The actual configuration of the mail and other servers is a NIC configured with an internal IP address only. The Public Server Wizard on the SonicWALL was used to create NAT policies that translate a public IP address in our assigned address block to the internal address of the server. A DNS record on the outside with our domain host points to this IP address.

So mail leaving the LAN will have the source IP of whatever interface it went out on (primary or secondary WAN), not the mail server's "public" IP.

Does this change your recommendation for active/passive? I'm still not sure if incoming traffic destined to those public IPs belonging to the secondary WAN will get through the SonicWALL when the primary is online and using the active/passive configuration. That's my biggest concern. SonicWALL support won't help me unless I pay for a support call.
I was not rferring to outgoing mail with the MX record example, only incoming. If you have two ISP's then you should have to incoming smtp servers (NAT on each interface) set up. If you set the MX priority to say 10 on that interface and 20 on the other, then if the first fails the mail will automatically be directed to the second.

Recommendation for active/passive still stands unless you are bandwidth limited and need to direct specific traffice ( web browsing for example) out the other interface.

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now