Internet fail over

Posted on 2014-07-30
Last Modified: 2014-10-21

I use a SonicWall TZ215 and I want to connect two ISP link with different fixed IP. The problem I have is that if I switch from my main ISP to the second my VPNS are going down and the Excahnge doesn't receive emails anymore. I there a way to emulate the the IP is never changing even if I switch from one link to another?

I hope I'm clear enough
Question by:jpmoreau
  • 3
  • 2
  • 2
  • +1
LVL 19

Expert Comment

ID: 40229557
your question is quite clear but you have 2 connections with 2 separate IP addresses so when a failover happens it has to switch from one to the other.

have you defined a VPN failover policy as well for connections to move over. I have not had much play with sonicwalls but in draytek you can do so. should be similar in sonicwall.

Expert Comment

by:Peter Wilson
ID: 40239946
What type of VPNs are these: SSL-VPN, GVC, STS? If it is SSL-VPN or GVC then I'd setup another DNS Zone record for it like and If you are using SSL-VPNs then you will want to purchase a wildcard SSL Cert to cover both connections.

If you are using a STS (Site-to-Site) VPN then you will want to create a static route to pass all traffic over the direct connection with probing enabled. The probing will sense an issue and use the static route rule to flow to the new location. If you need assistance with its setup just let me know.

I'm assuming the Exchange server is on premise?

Assisted Solution

Brandon earned 250 total points
ID: 40263973
This was very confusing for me too when i set up a failover with a different ISP.

In the NETWORK>INTERFACES section make sure you have two WAN ports setup, X1 for your main and X2 (or whatever number) as your backup internet. Enter all the correct details for both of these.

At this point all your device knows is you have two WAN ports but ALL your firewall settings only know about the X1 port. So when that goes down and your X2 takes over, your firewall is still trying to send everything thru the X1 port...which is down.

You need to setup a NAT Policy for the X2 port.
in NETWORK>NAT POLICIES add a new policy with the following...
Original Source = Any
select your Xx (lan port) from translated source
original dest = any
Translated Dest = orignal
original service = any
translated service = original
inbound interface = Xx(lan)
outbound interface = X2

Now you might have another issue with your email bouncing from others if the IP addresses don't match the signed certificate. This is an entirely different issue you can attack after you get the traffic routing correctly.

This should work. if not let me know and i'll take a copy of my settings and forward over.
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.


Author Comment

ID: 40270361
It seems to work but the problem I have now is that my Exchange is working weird. Sometime the emails are not going out.

Expert Comment

ID: 40270474

Are you getting bounces?
Are the emails sitting in the user's outbox?
Are the sitting on the server's cue?

Author Comment

ID: 40301346
Yes the emails are sitting in the queue. When I remove the second IPS link the emails are going out

Accepted Solution

Peter Wilson earned 250 total points
ID: 40301478
You never answered my question, but you need a PBR (Policy Based Route) otherwise it will never work. The way it has been described for you to setup the SonicWALL will never know which is the correct route, hence you have issues.

Click on Network > Routing.
Add to create a static route. The source will be the address object of the mail server’s private IP address (if not already create, please create), the destination will be “Any”, and the service will be “SMTP (Send Email)”. Select X2 Default Gateway as the Gateway.

Then you need to setup the Probe-enabled Policy Based Routing Config.

When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.


In the Probe pulldown menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object.


Typical configurations will not check the Disable route when probe succeeds checkbox, because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes.


Select the Probe default state is UP to have the route consider the probe to be successful (i.e. in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.”


Click OK to apply the configuration.
To determine which Gateway to send SMTP traffic through, you must determine which interface is the Primary WAN.  By default, this is X1.

Click on Network > WAN Failover & LB.
On this page, the SonicWALL will display which interface is the Primary WAN Ethernet Interface, and which interfaces are Alternate WANs.

Keep me posted.

Expert Comment

ID: 40303913
Like Peter Wilson posted, a better analogy of what I was trying to say.

The router knows to send your smtp traffic out the front door. But you are trying to send to the back door. when the front door is down, the router doesn't know what to do so the server holds the emails in the queue.

Featured Post

Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
New office setup 2 31
Anyconnect landing page login failed 2 33
Internet link load balancer 6 86
Cisco ASA blocks some https sites. 27 64
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question