Internet fail over


I use a SonicWall TZ215 and I want to connect two ISP link with different fixed IP. The problem I have is that if I switch from my main ISP to the second my VPNS are going down and the Excahnge doesn't receive emails anymore. I there a way to emulate the the IP is never changing even if I switch from one link to another?

I hope I'm clear enough
Who is Participating?
Peter WilsonConnect With a Mentor ITCommented:
You never answered my question, but you need a PBR (Policy Based Route) otherwise it will never work. The way it has been described for you to setup the SonicWALL will never know which is the correct route, hence you have issues.

Click on Network > Routing.
Add to create a static route. The source will be the address object of the mail server’s private IP address (if not already create, please create), the destination will be “Any”, and the service will be “SMTP (Send Email)”. Select X2 Default Gateway as the Gateway.

Then you need to setup the Probe-enabled Policy Based Routing Config.

When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.


In the Probe pulldown menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object.


Typical configurations will not check the Disable route when probe succeeds checkbox, because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes.


Select the Probe default state is UP to have the route consider the probe to be successful (i.e. in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.”


Click OK to apply the configuration.
To determine which Gateway to send SMTP traffic through, you must determine which interface is the Primary WAN.  By default, this is X1.

Click on Network > WAN Failover & LB.
On this page, the SonicWALL will display which interface is the Primary WAN Ethernet Interface, and which interfaces are Alternate WANs.

Keep me posted.
Kash2nd Line EngineerCommented:
your question is quite clear but you have 2 connections with 2 separate IP addresses so when a failover happens it has to switch from one to the other.

have you defined a VPN failover policy as well for connections to move over. I have not had much play with sonicwalls but in draytek you can do so. should be similar in sonicwall.
Peter WilsonITCommented:
What type of VPNs are these: SSL-VPN, GVC, STS? If it is SSL-VPN or GVC then I'd setup another DNS Zone record for it like and If you are using SSL-VPNs then you will want to purchase a wildcard SSL Cert to cover both connections.

If you are using a STS (Site-to-Site) VPN then you will want to create a static route to pass all traffic over the direct connection with probing enabled. The probing will sense an issue and use the static route rule to flow to the new location. If you need assistance with its setup just let me know.

I'm assuming the Exchange server is on premise?
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

BrandonConnect With a Mentor Project Manager, IT Systems and Software DesignCommented:
This was very confusing for me too when i set up a failover with a different ISP.

In the NETWORK>INTERFACES section make sure you have two WAN ports setup, X1 for your main and X2 (or whatever number) as your backup internet. Enter all the correct details for both of these.

At this point all your device knows is you have two WAN ports but ALL your firewall settings only know about the X1 port. So when that goes down and your X2 takes over, your firewall is still trying to send everything thru the X1 port...which is down.

You need to setup a NAT Policy for the X2 port.
in NETWORK>NAT POLICIES add a new policy with the following...
Original Source = Any
select your Xx (lan port) from translated source
original dest = any
Translated Dest = orignal
original service = any
translated service = original
inbound interface = Xx(lan)
outbound interface = X2

Now you might have another issue with your email bouncing from others if the IP addresses don't match the signed certificate. This is an entirely different issue you can attack after you get the traffic routing correctly.

This should work. if not let me know and i'll take a copy of my settings and forward over.
jpmoreauAuthor Commented:
It seems to work but the problem I have now is that my Exchange is working weird. Sometime the emails are not going out.
BrandonProject Manager, IT Systems and Software DesignCommented:

Are you getting bounces?
Are the emails sitting in the user's outbox?
Are the sitting on the server's cue?
jpmoreauAuthor Commented:
Yes the emails are sitting in the queue. When I remove the second IPS link the emails are going out
BrandonProject Manager, IT Systems and Software DesignCommented:
Like Peter Wilson posted, a better analogy of what I was trying to say.

The router knows to send your smtp traffic out the front door. But you are trying to send to the back door. when the front door is down, the router doesn't know what to do so the server holds the emails in the queue.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.