-
Products
-
Gen 7 Firewalls
SonicWall's Gen 7 platform-ready firewalls offer performance with stability and superior threat protection — all at an industry-leading TCO.
Read More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Configuring VPN Failover using Static Routes and Network Monitor Probes
10/14/2021 
1,081 People found this article helpful
486,492 Views
Description
This article illustrates a scenario wherein two sites with SonicWall UTM devices are connected to each other over a direct connection or an MPLS connection. A site to site VPN connection is defined concurrently between the two sites. The primary connection between the two sites is the direct or the MPLS connection and when it fails, traffic would automatically be routed through a site to site VPN (policy based).
For this article, we’ll be using the following IP addresses as examples.You can substitute your IP addresses for the examples shown here:
| NSA 2600/NSA 2700 (Site A) | TZ 300/TZ 470(Site B) |
| WAN (X1): 1.1.1.1 LAN (X0): 192.168.1.1/24 DMZ (X2): 192.168.2.1/24 MPLS Router fe0/0 IP: 192.168.2.2/24 MPLS Router fe0/1 IP: 172.16.31.1/24 | WAN (X1): 2.2.2.2 LAN (X0): 10.10.10.1/24 DMZ (X2): 10.10.11.1/24 MPLS Router fe0/0 IP: 10.10.11.2/24 MPLS Router fe0/1 IP: 172.16.31.2/24 |
NOTE: This article does not describe the method to create a site to site VPN or an MPLS connection.
Before defining the methods to configure the failover, the following factors are assumed to be in place.
- That a site to site VPN has been configured correctly and tunnel is up.
- That a direct or MPLS connection exists between Site A and Site B.
- That although a direct connection exists between Site A and Site B, traffic is passing to the other side over the VPN tunnel.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
The procedure to configure a failover is the following.
Create a probe-dependent static route to route all traffic destined to the remote MPLS network. This route would take precedence over the VPN route. The probe target should be the IP address of the MPLS router on the other side. The probe target is defined by creating a Network Monitor Policy under Network | System| Network Monitor.
A separate route should be created defining the path to take to reach the probe target. Network Monitor Policy would probe the target regularly. Failure of the MPLS connection would also result in the failure of the probe target. When the probe fails, SonicWall would disable the static route thus allowing the VPN kernel routes (hidden) to take precedence.
When the probe target is reachable again, the static route would be re-enabled, forcing traffic over the MPLS connection.
Create the following address objects under
- Object tab.
- Match Objects | Addresses and group them.
TZ 470
NSA 2700
- Create the following additional address objects.
| NSA 2700 | TZ 470 |
 |  |
 |  |
Create a Network Monitor Policy
- The probe target is defined by creating a Network Monitor Policy under the System| Network Monitor.
NSA 2700 TZ 470
Create a static route to route traffic to the probe target.
- Navigate to the Policy tab.
- Click Rules and Policies | Routing Rules
NSA 2700
TZ 470
- Create a static route to pass all traffic over the direct connection with probing enabled.
NSA 2700
TZ 470
How to Test:
On creating the routes traffic would be forwarded through the direct or MPLS connection. The site to site VPN policy would still show as up with a green light. To test whether failover and fallback is functioning as intended, perform the following:
- Disconnect, either physically or logically, the MPLS connection.
- The Network Monitor policy will become inactive as the probing defined in the policy to the probe target will fail.
- Consequent to the probe failure, the static route created to route traffic to the other side will be disabled.
- When the static route is disabled, the VPN kernel routes will be re-enabled and traffic will be forwarded over the VPN tunnel.
- Re-connect the MPLS connection.
- The Network Monitor policy will become active again as the probing defined in the policy is successful.
- When the probe succeeds the static route will be re-enabled automatically.
- As static route takes precedence over VPN routes, traffic will again be routed through the direct or MPLS connection.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
The procedure to configure a failover is the following.
Create a probe-dependent static route to route all traffic destined to the remote MPLS network. This route would take precedence over the VPN route. The probe target should be the IP address of the MPLS router on the other side. The probe target is defined by creating a Network Monitor Policy under Network | Network Monitor.
A separate route should be created defining the path to take to reach the probe target. Network Monitor Policy would probe the target regularly. Failure of the MPLS connection would also result in the failure of the probe target. When the probe fails, SonicWall would disable the static route thus allowing the VPN kernel routes (hidden) to take precedence.
When the probe target is reachable again, the static route would be re-enabled, forcing traffic over the MPLS connection.
Create the following address objects under
- Manage tab.
- Objects | Address Objects and group them.
| TZ300 |
 |
| NSA 2600 |
 |
- Create the following additional address objects.
| NSA 2600 | TZ300 |
 |  |
 |  |
Create a Network Monitor Policy
- The probe target is defined by creating a Network Monitor Policy under the Investigate tab | Network Probes.
| NSA 2600 | TZ300 |
 |  |
Create a static route to route traffic to the probe target.
- Navigate to the Manage tab.
- Click Network | Routing.
| NSA 2600 | TZ300 |
 |  |
- Create a static route to pass all traffic over the direct connection with probing enabled.
| NSA 2600 | TZ300 |
 |  |
How to Test:
On creating the routes traffic would be forwarded through the direct or MPLS connection. The site to site VPN policy would still show as up with a green light. To test whether failover and fallback is functioning as intended, perform the following:
- Disconnect, either physically or logically, the MPLS connection.
- The Network Monitor policy will become inactive as the probing defined in the policy to the probe target will fail.
- Consequent to the probe failure, the static route created to route traffic to the other side will be disabled.
- When the static route is disabled, the VPN kernel routes will be re-enabled and traffic will be forwarded over the VPN tunnel.
- Re-connect the MPLS connection.
- The Network Monitor policy will become active again as the probing defined in the policy is successful.
- When the probe succeeds the static route will be re-enabled automatically.
- As static route takes precedence over VPN routes, traffic will again be routed through the direct or MPLS connection.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Create the following address objects under
- Network | Address Objects and group them.
| TZ300 |
|
| NSA 2600 |
|
- Create the following additional address objects.
| NSA 2600 | TZ300 |
|
|
|
|
Create a Network Monitor Policy
- The probe target is defined by creating a Network Monitor Policy under Network | Network Monitor.
| NSA 2600 | TZ300 |
|
|
Create a static route to route traffic to the probe target
- Navigate to Network | Routing | Add.
| NSA 2600 | TZ300 |
|
|
Create a static route to pass all traffic over the direct connection with probing enabled.
| NSA 2600 | TZ300 |
|
|
How to Test
On creating the routes traffic would be forwarded through the direct or MPLS connection. The site to site VPN policy would still show as up with a green light. To test whether failover and fallback is functioning as intended, perform the following:
- Disconnect, either physically or logically, the MPLS connection.
- The Network Monitor policy will become inactive as the probing defined in the policy to the probe target will fail.
- Consequent to the probe failure, the static route created to route traffic to the other side will be disabled.
- When the static route is disabled, the VPN kernel routes will be re-enabled and traffic will be forwarded over the VPN tunnel.
- Re-connect the MPLS connection.
- The Network Monitor policy will become active again as the probing defined in the policy is successful.
- When the probe succeeds the static route will be re-enabled automatically.
- As static route takes precedence over VPN routes, traffic will again be routed through the direct or MPLS connection.
Related Articles
- How to access a more specific network over VPN tunnel while having another Route All VPN policy
- How to limit bandwidth usage when playing YouTube videos using App Rules
- SonicWall TZ80 In-Product settings migration
Categories
- Firewalls > SonicWall SuperMassive 9000 Series > VPN
- Firewalls > NSa Series > VPN
- Firewalls > TZ Series > VPN
- Firewalls > NSv Series > VPN
YES
NO