Article Applies To:
Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500,
NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W
NSA 240, NSA 250M, NSA250MW
Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.
Gen4 PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4 TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W
WAN Failover and Load Balancing allows you to designate
the one of the user-assigned interfaces as a Secondary or backup WAN
port. The secondary WAN port can be used in a simple active/passive
setup, where traffic is only routed through the secondary WAN port if
the primary WAN port is down and/or unavailable.
WAN Failover Caveats
1. WAN Failover and Load Balancing applies to
outbound-initiated traffic only; it cannot be used to perform inbound
Load Balancing functions, such as what a content switching or Load
Balancing appliance provides.|
2. Make sure that the SonicWALL security appliance has
the proper NAT policies for the Secondary WAN interface an incorrect or
missing NAT Policy for the Secondary WAN port is the most common
problem seen when configuring WAN Failover & Load Balancing.
3. The Primary and Secondary WAN ports cannot be on
the same IP subnet; each WAN connection must be on unique IP subnets in
order to work properly
4. You cannot use the WAN failover feature if you have configured the SonicWALL security appliance to use Transparent Mode in the
Network > Interfaces page.
To configure WAN failover and Load Balancing following steps has to performed
Step 1. Configure an interface as Secondary WAN port
configure the chosen port to be in WAN zone, and enter in the correct
provided by the Secondary ISP. In the example, NSA 3500 is acquiring
its secondary WAN address dynamically from ISP 2, using DHCP.
Step 2. Activate and Select WAN Failover/Load-Balancing Methods
Network > WAN Failover & LB page, select
Enable Load Balancing.
If there are multiple possible secondary WAN interfaces, select an
interface from the Alternate WAN drop down box. Select a load balancing
method. By default, the SonicWALL will select Basic Active/Passive
Failover as the method, but there are four load balancing methods
Basic Active/Passive Failover:When
this setting is selected, the SonicWALL security appliance only sends
traffic through the Secondary WAN interface if the Primary WAN interface
has been marked inactive.This item has an associated Preempt and fail
back to Primary WAN when possible checkbox. When this checkbox is
selected, the SonicWALL security appliance switches back to sending its
traffic across the Primary WAN interface when it resumes responding to
the SonicWALL security appliance’s checks.
Per Destination Round-Robin:
When this setting is selected, the SonicWALL security appliance Load
Balances outgoing traffic on a per-destination basis. This is a simple
load balancing method and, though not very granular, allows you to
utilize both links in a basic fashion . The SonicWALL security appliance
needs to examine outbound flows for uniqueness in source IP and
destination IP and make the determination as to which interface to send
the traffic out of and accept it back on. Please note this feature will
be overridden by specific static route entries.
When this settings is selected, the user can specify when the SonicWALL
security appliance starts sending traffic through the Secondary WAN
interface. This method allows you to control when and if the Secondary
interface is used. This method is used if you do not want outbound
traffic sent across the Secondary WAN unless the Primary WAN is
Use Source and Destination IP Address Binding:
When you are using percentage-based load balancing, this checkbox
enables you to maintain a consistent mapping of traffic flows with a
single outbound WAN interface, regardless of the percentage of traffic
through that interface.
Step 3. Configuring WAN Probe Monitoring
1. On the
Network > WAN Failover & Load Balancing page, under the WAN Interface Monitoring heading, check the
Enable Probe Monitoring box
2. Click on the
Configure button. The Configure
WAN Probe Monitoring window is displayed.
3. The new option is called
Probe responder.global.sonicwall.com on Primary, Alternate #1, Alternate #2, Alternate #3.
When enabled, this sends TCP probe packets to the global SNWL host that
responds to SNWL TCP packets, responder.global.sonicwall.com, using a
target probe destination address of 220.127.116.11:50000. If disabled,
only a physical link check is performed on Alternate WAN #2 and
Alternate WAN #3.
4. In the
Primary WAN Logical/Probe Settings menu, select one of the following options:
– Probe succeeds when either Main Target or Alternate Target responds
– Probe succeeds when both Main Target and Alternative Target respond
– Probe succeeds when Main Target responds
– Succeeds Always (no probing)
Ping (ICMP) or
TCP from the Probe Target menu.
6. Enter the host name or IP address of the target device in the Host field.
7. Enter a
port number in the
there is a NAT device between the two devices sending and receiving TCP
probes, the Any TCP-SYN to Port box must be checked, and the same port
number must be configured here and in the Configure WAN Probe
8. Optionally, you can enter a default
target IP address in the Default Target IP field. In case of a DNS
failure when a host name is specified, the default target IP address is
IP address of 0.0.0.0 or a DNS resolution failure will use the Default
Target IP configured. If 0.0.0.0 is entered and no default target IP
address is configured, the default gateway on that interface will be
9. Configure the
Secondary WAN Probe Settings, which provide the same options as the
Primary WAN Probe Settings.