Go Premium for a chance to win a PS4. Enter to Win


Internet fail over

Posted on 2014-07-30
Medium Priority
Last Modified: 2014-10-21

I use a SonicWall TZ215 and I want to connect two ISP link with different fixed IP. The problem I have is that if I switch from my main ISP to the second my VPNS are going down and the Excahnge doesn't receive emails anymore. I there a way to emulate the the IP is never changing even if I switch from one link to another?

I hope I'm clear enough
Question by:jpmoreau
  • 3
  • 2
  • 2
  • +1
LVL 19

Expert Comment

ID: 40229557
your question is quite clear but you have 2 connections with 2 separate IP addresses so when a failover happens it has to switch from one to the other.

have you defined a VPN failover policy as well for connections to move over. I have not had much play with sonicwalls but in draytek you can do so. should be similar in sonicwall.

Expert Comment

by:Peter Wilson
ID: 40239946
What type of VPNs are these: SSL-VPN, GVC, STS? If it is SSL-VPN or GVC then I'd setup another DNS Zone record for it like vpn1.domain.com and vpn2.domain.com. If you are using SSL-VPNs then you will want to purchase a wildcard SSL Cert to cover both connections.

If you are using a STS (Site-to-Site) VPN then you will want to create a static route to pass all traffic over the direct connection with probing enabled. The probing will sense an issue and use the static route rule to flow to the new location. If you need assistance with its setup just let me know.

I'm assuming the Exchange server is on premise?

Assisted Solution

Brandon earned 1000 total points
ID: 40263973
This was very confusing for me too when i set up a failover with a different ISP.

In the NETWORK>INTERFACES section make sure you have two WAN ports setup, X1 for your main and X2 (or whatever number) as your backup internet. Enter all the correct details for both of these.

At this point all your device knows is you have two WAN ports but ALL your firewall settings only know about the X1 port. So when that goes down and your X2 takes over, your firewall is still trying to send everything thru the X1 port...which is down.

You need to setup a NAT Policy for the X2 port.
in NETWORK>NAT POLICIES add a new policy with the following...
Original Source = Any
select your Xx (lan port) from translated source
original dest = any
Translated Dest = orignal
original service = any
translated service = original
inbound interface = Xx(lan)
outbound interface = X2

Now you might have another issue with your email bouncing from others if the IP addresses don't match the signed certificate. This is an entirely different issue you can attack after you get the traffic routing correctly.

This should work. if not let me know and i'll take a copy of my settings and forward over.
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

ID: 40270361
It seems to work but the problem I have now is that my Exchange is working weird. Sometime the emails are not going out.

Expert Comment

ID: 40270474

Are you getting bounces?
Are the emails sitting in the user's outbox?
Are the sitting on the server's cue?

Author Comment

ID: 40301346
Yes the emails are sitting in the queue. When I remove the second IPS link the emails are going out

Accepted Solution

Peter Wilson earned 1000 total points
ID: 40301478
You never answered my question, but you need a PBR (Policy Based Route) otherwise it will never work. The way it has been described for you to setup the SonicWALL will never know which is the correct route, hence you have issues.

Click on Network > Routing.
Add to create a static route. The source will be the address object of the mail server’s private IP address (if not already create, please create), the destination will be “Any”, and the service will be “SMTP (Send Email)”. Select X2 Default Gateway as the Gateway.

Then you need to setup the Probe-enabled Policy Based Routing Config.

When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.


In the Probe pulldown menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object.


Typical configurations will not check the Disable route when probe succeeds checkbox, because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes.


Select the Probe default state is UP to have the route consider the probe to be successful (i.e. in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.”


Click OK to apply the configuration.
To determine which Gateway to send SMTP traffic through, you must determine which interface is the Primary WAN.  By default, this is X1.

Click on Network > WAN Failover & LB.
On this page, the SonicWALL will display which interface is the Primary WAN Ethernet Interface, and which interfaces are Alternate WANs.

Keep me posted.

Expert Comment

ID: 40303913
Like Peter Wilson posted, a better analogy of what I was trying to say.

The router knows to send your smtp traffic out the front door. But you are trying to send to the back door. when the front door is down, the router doesn't know what to do so the server holds the emails in the queue.

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question