Solved

Failover & LB

Posted on 2013-10-31
8
271 Views
Last Modified: 2013-12-13
Hi

I use a TZ215 with two ISP connection. I want to use them as round robin but I want that one of them be always the master because I have a fix IP on it.

What is the best setup to use?

Thanks
0
Comment
Question by:jpmoreau
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39616093
Hi jpmoreau,

In order to do that just put the primary IP at the top...with Round Robin it works in priority status. So in your case traffic will flow will flip back and forth between your Primary and Secondary. Literally, if you refresh a web page the first time will be on the Primary and on the next refresh will be on the Secondary side. It sounds like you actually want to just have Basic Active/Passive Failover rather than Round Robin if you want the Primary to truly act as the Primary connection and the Secondary to act only if the Primary fails.

Here is a step-by-step on how to properly setup this: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=7828

Let me know if you have any questions!
0
 
LVL 2

Expert Comment

by:Jason Palmer
ID: 39616115
By TZ215, I assume you mean Sonicwall.

Your configuration does not really make any sense.  Sonicwall's, particularly the TZ series provide Fail-Over (Active-Passive) and not Active-Active configurations.

See the specification/overview page here:

http://www.sonicwall.com/us/en/products/TZ_215.html

If you have two TZ 215 units, then one unit is always primary and the other physical unit is always in Stand-by Mode.

Given that you have only one Static IP from one specific ISP, you have some choices depending on the speed differential between the two ISP connections and the types of services you are trying to configure.

For example, many of my customers have a static IP for their Mail Services on a T1 or Ethernet over Copper legacy or slower connection that has a real SLA (Service Level Agreement) then a significantly less expensive but much faster Cable/FiOS broadband connection with a Dynamic IP which is used for high speed web browsing and file transfer, or streaming video, music, etc.  In this case, we create Sonicwall Rules to Route all mail services over the Primary interface and all FTP/HTTP traffic over the secondary dynamic IP interface. We also configure a dynamic DNS service, such as dyndns.org , on the dynamic IP broadband connection and set a lower priority MX record to that CNAME.

Should the primary connection go down, mail will arrive via the dynamic DNS entry to the lower priority MX record.

If you are using the SSL-VPN or any type of VPN/dedicated services, just give users two different URL's to access:  i.e.  vpn.domain.com and vpn2.domain.com as the fall-back.

If you are trying to host a web site internally with two carriers having one static and one dynamic address, this is much harder to do because of the way that larger providers cache DNS entries.  So, unless you use a rock solid third party DNS provider like dyn.com or ultraDNS.com that use unicast, where DNS updates are virtually instantaneous, it could take hours or even a day for most ISP's and the likes of Verizon or Comcast or Cablevision to properly route the CNAME to the Fail-over A Record.

To be clear:  There are two parts to your solution depending on the services you are trying to keep "up" in the event of primary ISP failure.  If there are no internal services that are accessible from the outside, none of this matters.  Just configure the TZ 215 in straight fail-over mode for all services.    If there are internal services that need access from the outside, i.e. mail or web hosting, then it is critical that you create proper dynamic DNS host names and work with a DNS provider that can update entries globally quickly using some form of unicast technology.  Most regular ISP's just use BIND and this will leave you with a period of down time unless you have explicit control of the TTL (Time to Live) of your DNS Records.

Hope this helps,

Jason.
0
 

Author Comment

by:jpmoreau
ID: 39641988
Will check this in two weeks
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 25

Expert Comment

by:Diverse IT
ID: 39654174
Sounds good...keep me posted!
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39678790
I'm glad I could help...thanks for the points!
0
 

Expert Comment

by:fluidequipment
ID: 39716979
"For example, many of my customers have a static IP for their Mail Services on a T1 or Ethernet over Copper legacy or slower connection that has a real SLA (Service Level Agreement) then a significantly less expensive but much faster Cable/FiOS broadband connection with a Dynamic IP which is used for high speed web browsing and file transfer, or streaming video, music, etc.  In this case, we create Sonicwall Rules to Route all mail services over the Primary interface and all FTP/HTTP traffic over the secondary dynamic IP interface."

This is exactly what I am looking to do on my TZ215 device. Would you be able to elaborate further on how to specifically and correctly create this static route for mail? Thanks!

Also, I am having trouble deciding on what failover/lb mode to use. I currently have it set to basic failover, but does this mean that my secondary WAN is on standby completely until the WAN1 fails? To the point that I cant even route traffic through it with static routes?
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39717779
@fluidequipment - Sure go ahead and ask a new Question...and we'd love to take care of this for you!
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question