Failover and Load Balance in Sonicwall

I'm thinking of setting up another internet for failover and LB in my Sonicwall NSA 5500. Any configuration example and scenario to learn ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:

It's more of a strategic question to determine in the event how do you want things to play out.

If you want to actually utilize the both connections I'd use Round Robin or Ratio. Ratios work well too especially when there is disparity in speed between the two circuits. In a lesser more demoted way you can use Spillover. Otherwise Active/Passive is great for two connections.
The admin guide says it all but to put it in different words:

1. Basic Active/Passive Failover

The WAN interfaces use "rank" to determine the order of preemption when the Preempt and failback to preferred interfaces when possible checkbox has been enabled. Only a higher-ranked interface can preempt an Active WAN interface.

Final Back-Up - The Final Back-Up interface is used IF and ONLY IF there are no other interfaces Available in the group. It is for FAILOVER only and always gets preempted by other members. Only one interface can be selected as a last-resort interface, but it is not required for any LB Group to have a Final Back-Up. The rule of preemption (enable/disable) does not apply to a Final Back-Up interface; preemption enable/disable only applies to Primary and Alternates. A Final Back-Up interface is never used for LB, so it does not take a percentage in Ratio, never gets selected in RR, and never gets Spillover traffic.

2. Round Robin

This option now allows the user to re-order the WAN interfaces for Round Robin selection. The order is as follows: Primary WAN, Alternate WAN #1, Alternate WAN #2, and Alternate WAN #3; the Round Robin will then repeat back to the Primary WAN and continue the order. So in your case traffic flow will flip back and forth between Fiber and Cable. Literally, if you refresh a web page the first time will be on the Fiber and on the next refresh will be on the Cable side.

3. Spillover

You specify the bandwidth threshold that applies to the Fiber. Once the threshold is exceeded, say 9 Mbps, new traffic flows are allocated to the Cable in a Round Robin manner. Once the Fiber bandwidth goes below the configured threshold, Round Robin stops, and outbound new flows will again be sent out only through the Fiber.

NOTE: that existing flows will remain associated with the Alternates (since they are already cached) until they timeout normally.

4. Ratio

There are now four fields so that percentages can be set for each WAN in the LB group. To avoid problems associated with configuration errors, please ensure that the percentage correctly corresponds to the WAN interface it indicates.

To set the individual percentages of the member interfaces, an input box beside the member list is provided for the percentage value. The total of the percentage settings should be 100.

Use Source and Destination IP Address Binding: When you are using percentage-based load balancing, this checkbox enables you to maintain a consistent mapping of traffic flows with a single outbound WAN interface, regardless of the percentage of traffic through that interface.

NOTE: When one of the WAN interface goes down the new connections will flow through the available WAN interfaces.

What happens then when a WAN interface goes down or not responsive?

In the first 3 options listed (Basic Fail-over, Round Robin, Spill-over), the behavior is quite predictable: if a link is not responsive or an interface physically goes down, the traffic will fail over to the other WAN interfaces. If that link then comes back, it will fail back (take over traffic to the WAN again) as planned by you.

When you configure the Ratio Load Balancing method, the firewall needs to assure availability by keeping consistency with the ratio configured per interface. The behavior of the firewall during failures of participating WAN interfaces is not obvious, and is explained below.

What happens then when a WAN link is down and its interface is belonging to a LB Group configured in Ratio?

The firewall will load balance the traffic by keeping the ratio constant between the link/interfaces up and available. For example, if Ratio LB between 3 WAN interfaces is configured with the following LB ratios
X1 (50%)
X2 (40%)
X3 (10%)
If X1 link becomes unavailable, the firewall will load all traffic between the remaining responsive interface (i.e. X2 and X3), keeping the ratio constant between them:
X1 (down)
X2 (80%)
X3 (20%)
Notice that the ratio between X2 and X3 (4:1) is kept constant during the time X1 link is not available. The original Ratio Load Balancing for X2 and X3 was first configured as 40% and 10%, and thus the new calculation, after X1 is down, is proportional to that.

What happens then if a WAN link/interface comes back and operational after being down for a while, in a LB Group configured in Ratio?

In this case, the traffic will be load balanced according to the ratio configured by you, balancing the traffic between all the interfaces configured in the ratio.
In my example, if X1 link comes back operational and the LB Group is configured in the aforementioned ratio, the firewall will load balance again based on the ratio:
X1 (50%)
X2 (40%)
X3 (10%)
To prevent overload immediately X2 too much, the firewall will keep consistency by loading the traffic on X1 according to an additional calculation - "current ratio" - which is based on a short term sample which is NOT configurable by you. The "current ratio" will work and act like a valve to control the "average" ratio (i.e. the one planned and configured by you) during the few seconds after an interface comes up and until the "average" ratio equalizes to the Load Balancing ratio configured by the customer (e.g. 50%, 40%, 10%).

You can prevent having an interface (e.g. X2) loaded too much (e.g 80%) by cautiously planning the Ratio. For example planning
X1 (40%)
X2 (40%)
X3 (20%)
in case of failure of the X2 link, the ratio in disaster recovery will be:
X1 (66,7%)
X2 (down)
X3 (33,3%)
In this case you would have achieved:
exploiting X2 as long as the X2 link is up;
limiting the traffic through X3;
a more fair usage of the remaining resources (X1 and X3 links) in case a fast speed link is not available anymore.
Of course the proper ratio to be configured for a certain configuration is matter of opinion and it is your duty to foresee and plan how to better use links available.

Let me know if you have any other questions!

Ratio sets a ratio for both WAN connections based on the number of connections. For example, 80/20 would mean if you have 1,000 connections, then WAN would get 800 of them and WAN2 would get 200 connections.

Round Robin flip flops between both WANs so if you are on a web page (WAN1)  and then clicked on another page that connection would be established on WAN2.
AXISHKAuthor Commented:
"Split over" may be suitable for me.

I have already configured X1 WAN for a internet provider and X2 WAN for another provider. What should I do next ? Any example to follow ?

Blue Street TechLast KnightCommented:
OK, just follow these steps:

1. the other WAN on X2, then go to Network > Failover & LB.
2. Make sure Enable Load Balancing is check (it should be by default).
3. Click on the Configure icon next to Default LB Group.
4. On the General tab, select Spill-over next to Type and then input the bandwidth threshold amount in Kbits. Once the bandwidth goes over that amount, it will start using the other connection.
5. Select on X2 from the Group Members and click Add >>. Under Primary/Alt. Pool it should read X1, X2 in that order.
6. Click OK.

Then click the expander arrow next to the Default LB Group and setup probing.
1. Click on the Configure icon
2. Select Logical/Probe Monitoring enabled.
3. Select Probe succeeds when either Main or Alternate Target responds.
3. Next to Main Target and Alternative Target, select Ping (ICMP), type the host as and respectively.
4. Click OK.

Let me know if you have any other questions!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
I just updated my last post...please re-fresh and re-read!
AXISHKAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.