Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

HA and redundant provider connections

Rossk1300Rossk1300 Newbie ✭
in Mid Range Firewalls

Hi all, moving our NSA3700 HA pair to a new provider where they are giving us an internet connection and MPLS connection provided redundantly by two Juniper SRX for each running VRRP, so a total of four Junipers in two pairs.

Does anyone know if interfaces from the primary Sonicwall unit are bridged with the same interface on the HA secondary? For example we are using X2 for IA, but the juniper routers need to be able to see each other for VRRP; will they talk to each other when connected to separate NSA3700's in an HA pair?

On the LAN side I think we could achieve this by using a portshield group and physically connecting an interface between the primary and secondary NSA to bridge the two. However portshield group interfaces aren't available on WAN interfaces.

We could have a switch between, however this would then become a single point of failure. Because we are only being fed one connection from each of the junipers we can't use redundant switches.

What we are currently doing to try and achieve some form of HA is attached, however this isnt truly HA. If one of the switches fails then the connectivity to one set of Junipers is also lost.

I would rather not have switches at all and connect directly to the NSA's, however to do this the Junipers in each pair need to be able to communicate with each other. Meaning the respective interfaces they are connected to on each firewall need to be able to communicate with the same ports on the other.

Only other option I can think of is asking the provider to see if they can give us two LAG ports from each Juniper, then we can use redundant switching between.

Be grateful for any ideas!

HA setup2.png

Category: Mid Range Firewalls
Reply
Tagged:

Answers

  • ArkwrightArkwright Community Legend ✭✭✭✭✭
    edited 4:32PM

    Only other option I can think of is asking the provider to see if they can give us two LAG ports from each Juniper

    You just want a bunch of ports [two - one for each Sonicwall? or three - 2xSonicwalls + a port for the peer Juniper?] bridged together on each Juniper router. That would eliminate the switches.

    If one of the switches fails then the connectivity to one set of Junipers is also lost.

    The road to redundancy never ends. At some point, you have to say "this is redundant enough". How likely is it that both a switch and the wrong Sonicwall are going to die at the same time?

  • Rossk1300Rossk1300 Newbie ✭

    Thanks Arkwright, I think you're right that multiple connections from the Junipers is the answer.

    Do you happen to know though if interfaces on each sonicwall have communication with each other between boxes in HA. Saying X0 is LAN and X1 is WAN, would X0 and X1 on each sonicwall allow communication between each other?

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    Definitely X0, yes:

    https://www.sonicwall.com/support/knowledge-base/how-to-configure-high-availability-ha/170503978252820

    X0 is used as a backup HA link so the advice is to connect it so the firewalls can see each other.

Sign In or Register to comment.