Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Internet fail over

Posted on 2014-07-30
Medium Priority
Last Modified: 2014-10-21

I use a SonicWall TZ215 and I want to connect two ISP link with different fixed IP. The problem I have is that if I switch from my main ISP to the second my VPNS are going down and the Excahnge doesn't receive emails anymore. I there a way to emulate the the IP is never changing even if I switch from one link to another?

I hope I'm clear enough
Question by:jpmoreau
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 19

Expert Comment

ID: 40229557
your question is quite clear but you have 2 connections with 2 separate IP addresses so when a failover happens it has to switch from one to the other.

have you defined a VPN failover policy as well for connections to move over. I have not had much play with sonicwalls but in draytek you can do so. should be similar in sonicwall.

Expert Comment

by:Peter Wilson
ID: 40239946
What type of VPNs are these: SSL-VPN, GVC, STS? If it is SSL-VPN or GVC then I'd setup another DNS Zone record for it like and If you are using SSL-VPNs then you will want to purchase a wildcard SSL Cert to cover both connections.

If you are using a STS (Site-to-Site) VPN then you will want to create a static route to pass all traffic over the direct connection with probing enabled. The probing will sense an issue and use the static route rule to flow to the new location. If you need assistance with its setup just let me know.

I'm assuming the Exchange server is on premise?

Assisted Solution

Brandon earned 1000 total points
ID: 40263973
This was very confusing for me too when i set up a failover with a different ISP.

In the NETWORK>INTERFACES section make sure you have two WAN ports setup, X1 for your main and X2 (or whatever number) as your backup internet. Enter all the correct details for both of these.

At this point all your device knows is you have two WAN ports but ALL your firewall settings only know about the X1 port. So when that goes down and your X2 takes over, your firewall is still trying to send everything thru the X1 port...which is down.

You need to setup a NAT Policy for the X2 port.
in NETWORK>NAT POLICIES add a new policy with the following...
Original Source = Any
select your Xx (lan port) from translated source
original dest = any
Translated Dest = orignal
original service = any
translated service = original
inbound interface = Xx(lan)
outbound interface = X2

Now you might have another issue with your email bouncing from others if the IP addresses don't match the signed certificate. This is an entirely different issue you can attack after you get the traffic routing correctly.

This should work. if not let me know and i'll take a copy of my settings and forward over.
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.


Author Comment

ID: 40270361
It seems to work but the problem I have now is that my Exchange is working weird. Sometime the emails are not going out.

Expert Comment

ID: 40270474

Are you getting bounces?
Are the emails sitting in the user's outbox?
Are the sitting on the server's cue?

Author Comment

ID: 40301346
Yes the emails are sitting in the queue. When I remove the second IPS link the emails are going out

Accepted Solution

Peter Wilson earned 1000 total points
ID: 40301478
You never answered my question, but you need a PBR (Policy Based Route) otherwise it will never work. The way it has been described for you to setup the SonicWALL will never know which is the correct route, hence you have issues.

Click on Network > Routing.
Add to create a static route. The source will be the address object of the mail server’s private IP address (if not already create, please create), the destination will be “Any”, and the service will be “SMTP (Send Email)”. Select X2 Default Gateway as the Gateway.

Then you need to setup the Probe-enabled Policy Based Routing Config.

When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.


In the Probe pulldown menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object.


Typical configurations will not check the Disable route when probe succeeds checkbox, because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes.


Select the Probe default state is UP to have the route consider the probe to be successful (i.e. in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.”


Click OK to apply the configuration.
To determine which Gateway to send SMTP traffic through, you must determine which interface is the Primary WAN.  By default, this is X1.

Click on Network > WAN Failover & LB.
On this page, the SonicWALL will display which interface is the Primary WAN Ethernet Interface, and which interfaces are Alternate WANs.

Keep me posted.

Expert Comment

ID: 40303913
Like Peter Wilson posted, a better analogy of what I was trying to say.

The router knows to send your smtp traffic out the front door. But you are trying to send to the back door. when the front door is down, the router doesn't know what to do so the server holds the emails in the queue.

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question