• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3078
  • Last Modified:

WAN failover on a Sonicwall

We have two offices that require inter-connectivity and standalone internet connections.

Each site has a Sonicwall firewall acting as their primary WAN. Internet traffic is sent out through the sonicwall.

The sites are interconnected with a ptp wireless solution. The sonicwall at both sites has a dedicated interface for the PtP dish and routing has been setup to allow traffic to go freely between the sites on the LAN side.

What we want to be able to do is failover the internet via the PtP dish to the sonicwall at the other site in case the internet fails at either or site.

On a Cisco it's  as simple as adding a secondary default route with a higher metric, but on the Sonicwalls the default route for whatever reason has a metric of 255 and is uneditable!?

What other options do we have?
1 Solution
Aaron TomoskyTechnology ConsultantCommented:
Can you show a screenshot? I have a similar setup with a secondary wired connection instead of wireless and it works fine
bbaoIT ConsultantCommented:
i think it depends on the SonicWALL model and if failover is supported on the interface for site interconnection. more info please?
Blue Street TechLast KnightsCommented:
First you have to answer our questions so that we can communicate on this, but this is what I think you are trying to achieve.

Here is a below example diagramExample DiagramBefore defining the methods to configure the failover, the following factors are assumed to be in place:
1. That a site to site VPN has been configured correctly and tunnel is up.
2. That a direct or MPLS connection exists between Site A and Site B.
3. That although a direct connection exists between Site A and Site B, traffic is passing to the other side over the VPN tunnel.

The configuration for failover

Create a probe-dependent static route to route all traffic destined to the remote MPLS network. This route would take precedence over the VPN route. The probe target should be the IP address of the MPLS router on the other side. The probe target is defined by creating a Network Monitor Policy under Network > Network Monitor.

A separate route should be created defining the path to take to reach the probe target. Network Monitor Policy would probe the target regularly. Failure of the MPLS connection would also result in the failure of the probe target. When the probe fails, SonicWALL would disable the static route thus allowing the VPN kernel routes (hidden) to take precedence.

When the probe target is reachable again, the static route would be re-enabled, forcing traffic over the MPLS connection.

1. Create Address Objects

Create the following address objects under Network > Address Objects and group them.
NSA 2400 LAN Network
NSA 220 LAN Network
NSA 2400 DMZ Network
NSA 220 DMZ NetworkAddress Group on NSA 220Address Group on NSA 2400NSA 2400 DMZ Gateway
NSA 220 DMZ Gateway
NSA 2400 MPLS Router
NSA 220 MPLS RouterMPLS Router on the NSA 2400MPLS Router on the NSA 220DMZ Gateway on the NSA 2400DMZ Gateway on the NSA 220

2. Create a Network Monitor Policy

The probe target is defined by creating a Network Monitor Policy under Network > Network Monitor.
Network Monitor pageNetwork Monitor page on the NSA 2400 if target is aliveNetwork Monitor page on the NSA 220 if target is alive

3. Create Static Routes

Create a static route to route traffic to the probe target. (Network > Routing)Create a static route to pass all traffic over the direct connection with probing enabled.

4. Here's How to Test

On creating the routes traffic would be forwarded through the direct or MPLS connection. The site to site VPN policy would still show as up with a green light. To test whether failover and fallback  is functioning as intended, perform the following:

1. Disconnect, either physically or logically, the MPLS connection.
2. The Network Monitor policy will become inactive as the probing defined in the policy to the probe target will fail.
3. Consequent to the probe failure, the static route created to route traffic to the other side will be disabled.
4. When the static route is disabled, the VPN kernel routes will be re-enabled and traffic will be forwarded over the VPN tunnel.
5. Re-connect the MPLS connection.
6. The Network Monitor policy will become active again as the probing defined in the policy is successful.
7. When the probe succeeds the static route will be re-enabled automatically.
8. As static route takes precedence over VPN routes, traffic will again be routed through the direct or MPLS connection.Let me know how it goes!

P.S. The images mention NSA 240 but just substitute them for NSA 220 - all applies in the same manner.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now