Configuring VPN Failover using Static Routes and Network Monitor Probes

Description

This article illustrates a scenario wherein two sites with SonicWall UTM devices are connected to each other over a direct connection or an MPLS connection. A site to site VPN connection is defined concurrently between the two sites. The primary connection between the two sites is the direct or the MPLS connection and when it fails, traffic would automatically be routed through a site to site VPN (policy based).


Image


For this article, we’ll be using the following IP addresses as examples.You can substitute your IP addresses for the examples shown here:

NSA 2600/NSA 2700 (Site A)TZ 300/TZ 470(Site B)
WAN (X1): 1.1.1.1
LAN (X0): 192.168.1.1/24
DMZ (X2): 192.168.2.1/24
MPLS Router fe0/0 IP: 192.168.2.2/24
MPLS Router fe0/1 IP: 172.16.31.1/24		WAN (X1): 2.2.2.2
LAN (X0): 10.10.10.1/24
DMZ (X2): 10.10.11.1/24
MPLS Router fe0/0 IP: 10.10.11.2/24
MPLS Router fe0/1 IP: 172.16.31.2/24

NOTE: This article does not describe the method to create a site to site VPN or an MPLS connection.

Before defining the methods to configure the failover, the following factors are assumed to be in place.

  1. That a site to site VPN has been configured correctly and tunnel is up.
  2. That a direct or MPLS connection exists between Site A and Site B.
  3. That although a direct connection exists between Site A and Site B, traffic is passing to the other side over the VPN tunnel.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.



The procedure to configure a failover is the following.

Create a probe-dependent static route to route all traffic destined to the remote MPLS network. This route would take precedence over the VPN route. The probe target should be the IP address of the MPLS router on the other side. The probe target is defined by creating a Network Monitor Policy under Network | System| Network Monitor.

A separate route should be created defining the path to take to reach the probe target. Network Monitor Policy would probe the target regularly. Failure of the MPLS connection would also result in the failure of the probe target. When the probe fails, SonicWall would disable the static route thus allowing the VPN kernel routes (hidden) to take precedence.

When the probe target is reachable again, the static route would be re-enabled, forcing traffic over the MPLS connection.

Create the following address objects under

  • Object tab.
  • Match  Objects | Addresses and group them.

    TZ 470

    Image

    NSA 2700

    Image

  • Create the following additional address objects.


              

NSA 2700TZ 470
ImageImage
ImageImage


Create a Network Monitor Policy

  • The probe target is defined by creating a Network Monitor Policy under the System| Network Monitor.


             NSA 2700                                                                                                                                                        TZ 470 


            Image                                   Image


Create a static route to route traffic to the probe target.

  • Navigate to the Policy tab.
  • Click Rules and Policies | Routing Rules

    NSA 2700

    Image                  Image

    TZ 470

    Image                      Image


  • Create a static route to pass all traffic over the direct connection with probing enabled.


    NSA 2700

    Image               Image




                                                              Image

    TZ 470

    Image                Image


                                                    Image



How to Test:

On creating the routes traffic would be forwarded through the direct or MPLS connection. The site to site VPN policy would still show as up with a green light. To test whether failover and fallback  is functioning as intended, perform the following:

  1. Disconnect, either physically or logically, the MPLS connection.
  2. The Network Monitor policy will become inactive as the probing defined in the policy to the probe target will fail.
  3. Consequent to the probe failure, the static route created to route traffic to the other side will be disabled.
  4. When the static route is disabled, the VPN kernel routes will be re-enabled and traffic will be forwarded over the VPN tunnel.
  5. Re-connect the MPLS connection.
  6. The Network Monitor policy will become active again as the probing defined in the policy is successful.
  7. When the probe succeeds the static route will be re-enabled automatically.
  8. As static route takes precedence over VPN routes, traffic will again be routed through the direct or MPLS connection.





Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


The procedure to configure a failover is the following.

Create a probe-dependent static route to route all traffic destined to the remote MPLS network. This route would take precedence over the VPN route. The probe target should be the IP address of the MPLS router on the other side. The probe target is defined by creating a Network Monitor Policy under Network | Network Monitor.

A separate route should be created defining the path to take to reach the probe target. Network Monitor Policy would probe the target regularly. Failure of the MPLS connection would also result in the failure of the probe target. When the probe fails, SonicWall would disable the static route thus allowing the VPN kernel routes (hidden) to take precedence.

When the probe target is reachable again, the static route would be re-enabled, forcing traffic over the MPLS connection.


Create the following address objects under

  • Manage tab.
  • Objects | Address Objects and group them.
TZ300
Image


NSA 2600
Image


  • Create the following additional address objects.
NSA 2600TZ300
Image Image
Image Image



Create a Network Monitor Policy

  • The probe target is defined by creating a Network Monitor Policy under the Investigate tab | Network Probes.
NSA 2600TZ300
ImageImage

 

Create a static route to route traffic to the probe target.

  • Navigate to the Manage tab.
  • Click Network | Routing.
NSA 2600TZ300
ImageImage


  • Create a static route to pass all traffic over the direct connection with probing enabled.
NSA 2600TZ300
ImageImage



How to Test:

On creating the routes traffic would be forwarded through the direct or MPLS connection. The site to site VPN policy would still show as up with a green light. To test whether failover and fallback  is functioning as intended, perform the following:

  1. Disconnect, either physically or logically, the MPLS connection.
  2. The Network Monitor policy will become inactive as the probing defined in the policy to the probe target will fail.
  3. Consequent to the probe failure, the static route created to route traffic to the other side will be disabled.
  4. When the static route is disabled, the VPN kernel routes will be re-enabled and traffic will be forwarded over the VPN tunnel.
  5. Re-connect the MPLS connection.
  6. The Network Monitor policy will become active again as the probing defined in the policy is successful.
  7. When the probe succeeds the static route will be re-enabled automatically.
  8. As static route takes precedence over VPN routes, traffic will again be routed through the direct or MPLS connection.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.












Create the following address objects under

  • Network | Address Objects and group them.
TZ300

Image


NSA 2600

Image


  • Create the following additional address objects.
NSA 2600TZ300

Image

 

Image

Image

 

Image

Create a Network Monitor Policy

  • The probe target is defined by creating a Network Monitor Policy under Network | Network Monitor.
NSA 2600TZ300

Image

Image


Create a static route to route traffic to the probe target

  • Navigate to Network | Routing | Add.
NSA 2600TZ300

Image

Image


Create a static route to pass all traffic over the direct connection with probing enabled.

NSA 2600TZ300

Image

Image



How to Test

On creating the routes traffic would be forwarded through the direct or MPLS connection. The site to site VPN policy would still show as up with a green light. To test whether failover and fallback  is functioning as intended, perform the following:

  1. Disconnect, either physically or logically, the MPLS connection.
  2. The Network Monitor policy will become inactive as the probing defined in the policy to the probe target will fail.
  3. Consequent to the probe failure, the static route created to route traffic to the other side will be disabled.
  4. When the static route is disabled, the VPN kernel routes will be re-enabled and traffic will be forwarded over the VPN tunnel.
  5. Re-connect the MPLS connection.
  6. The Network Monitor policy will become active again as the probing defined in the policy is successful.
  7. When the probe succeeds the static route will be re-enabled automatically.
  8. As static route takes precedence over VPN routes, traffic will again be routed through the direct or MPLS connection.

Related Articles

  • SonicWall UTM throws an error : " Invalid Authentication " Error: SN and EPAID Do Not Match
    Read More
  • Firewall logs show frequent probe status changes after upgrade
    Read More
  • SSO Agent 4.0: Installation, Configurations, and troubleshooting
    Read More

Categories

Firewalls
SonicWall SuperMassive 9000 Series
VPN
Firewalls
NSa Series
VPN
Firewalls
TZ Series
VPN
Firewalls
NSv Series
VPN
not finding your answers?
Ask the Community
was this article helpful?
YesNo