Solved

Internet fail over

Posted on 2014-07-30
10
200 Views
Last Modified: 2014-10-21
Hi

I use a SonicWall TZ215 and I want to connect two ISP link with different fixed IP. The problem I have is that if I switch from my main ISP to the second my VPNS are going down and the Excahnge doesn't receive emails anymore. I there a way to emulate the the IP is never changing even if I switch from one link to another?

I hope I'm clear enough
0
Comment
Question by:jpmoreau
  • 3
  • 2
  • 2
  • +1
10 Comments
 
LVL 19

Expert Comment

by:Kash
Comment Utility
your question is quite clear but you have 2 connections with 2 separate IP addresses so when a failover happens it has to switch from one to the other.

have you defined a VPN failover policy as well for connections to move over. I have not had much play with sonicwalls but in draytek you can do so. should be similar in sonicwall.
0
 
LVL 2

Expert Comment

by:Peter Wilson
Comment Utility
What type of VPNs are these: SSL-VPN, GVC, STS? If it is SSL-VPN or GVC then I'd setup another DNS Zone record for it like vpn1.domain.com and vpn2.domain.com. If you are using SSL-VPNs then you will want to purchase a wildcard SSL Cert to cover both connections.

If you are using a STS (Site-to-Site) VPN then you will want to create a static route to pass all traffic over the direct connection with probing enabled. The probing will sense an issue and use the static route rule to flow to the new location. If you need assistance with its setup just let me know.

I'm assuming the Exchange server is on premise?
0
 
LVL 3

Assisted Solution

by:Brandon
Brandon earned 250 total points
Comment Utility
This was very confusing for me too when i set up a failover with a different ISP.

In the NETWORK>INTERFACES section make sure you have two WAN ports setup, X1 for your main and X2 (or whatever number) as your backup internet. Enter all the correct details for both of these.

At this point all your device knows is you have two WAN ports but ALL your firewall settings only know about the X1 port. So when that goes down and your X2 takes over, your firewall is still trying to send everything thru the X1 port...which is down.

You need to setup a NAT Policy for the X2 port.
in NETWORK>NAT POLICIES add a new policy with the following...
Original Source = Any
select your Xx (lan port) from translated source
original dest = any
Translated Dest = orignal
original service = any
translated service = original
inbound interface = Xx(lan)
outbound interface = X2
Enable
OK

Now you might have another issue with your email bouncing from others if the IP addresses don't match the signed certificate. This is an entirely different issue you can attack after you get the traffic routing correctly.

This should work. if not let me know and i'll take a copy of my settings and forward over.
0
 

Author Comment

by:jpmoreau
Comment Utility
It seems to work but the problem I have now is that my Exchange is working weird. Sometime the emails are not going out.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 3

Expert Comment

by:Brandon
Comment Utility
JPMOREAU,

Are you getting bounces?
Are the emails sitting in the user's outbox?
Are the sitting on the server's cue?
0
 

Author Comment

by:jpmoreau
Comment Utility
Yes the emails are sitting in the queue. When I remove the second IPS link the emails are going out
0
 
LVL 2

Accepted Solution

by:
Peter Wilson earned 250 total points
Comment Utility
You never answered my question, but you need a PBR (Policy Based Route) otherwise it will never work. The way it has been described for you to setup the SonicWALL will never know which is the correct route, hence you have issues.

Click on Network > Routing.
Add to create a static route. The source will be the address object of the mail server’s private IP address (if not already create, please create), the destination will be “Any”, and the service will be “SMTP (Send Email)”. Select X2 Default Gateway as the Gateway.

Then you need to setup the Probe-enabled Policy Based Routing Config.

When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.

1.

In the Probe pulldown menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object.

2.

Typical configurations will not check the Disable route when probe succeeds checkbox, because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes.

3.

Select the Probe default state is UP to have the route consider the probe to be successful (i.e. in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.”

4.

Click OK to apply the configuration.
To determine which Gateway to send SMTP traffic through, you must determine which interface is the Primary WAN.  By default, this is X1.

Click on Network > WAN Failover & LB.
On this page, the SonicWALL will display which interface is the Primary WAN Ethernet Interface, and which interfaces are Alternate WANs.

Keep me posted.
1
 
LVL 3

Expert Comment

by:Brandon
Comment Utility
Like Peter Wilson posted, a better analogy of what I was trying to say.

The router knows to send your smtp traffic out the front door. But you are trying to send to the back door. when the front door is down, the router doesn't know what to do so the server holds the emails in the queue.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now