Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Is there any detailed documentation on the HA capabilities of the Azure based NSVs?

I'm trialing NSv270s in Active Passive HA and other than very very brief deployment KB, I can find no detailed information about the HA technology / methodology / supported features etc. being used in Azure.

For example, a major issue I've hit is that Multiple WAN IPs do not move with the HA. I've about 30-40 public IPs I'd hoped to consolidate onto the WAN interface (that works fine) but upon failover only the 1st of them will failover to the now active device.

Also the Failover itself takes up to 5 mins, rather than instantly as on my physical devices. OK I can deal with this, now I know about it, but it is not documented anywhere.

Does anybody know if a feature list, or detailed technical documentation exists for Azure based HA?

Category: Virtual Firewall
Reply

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Sbarrett

    I found below information related for the NSv HA using Azure.

    1. Does Microsoft Azure support Active/Standby High Availability without using Azure Loadbalancer? --> 6.5.4.4-44v-21-987 build(and onwards) on Gen6 and 7.0.0-R1036(and onwards) build on Gen7 supports Layer 3 High Availability in Active/Standby Mode.
    2. Does Azure Active/Standby HA solution support settings/configuration synchronizing? --> Yes. Azure Active/Standby HA solution supports settings synchronization.
    3. Does Azure Active/Standby HA solution support Stateful synchronization? --> The current release does not support stateful synchronization since the failover time is longer in Azure infrastructure.

    Detailed KB:

    How to deploy Sonicwall NSv HA using Azure LB;


  • T16T16 Newbie ✭
    edited June 2021

    FIVE MIN failover for active-passive for an nsv?

    You gotta be kidding, we cannot live with that, so active-active for us then if that is the case.

    Can someone from Sonicwall confirm?

    Ajishlal, can you take a quick look at the thread I created on this topic and advise? I think for us the load balancing and active-active is the way to go, but I really need some ideas as to the downside of such a setup.

    Danke!

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @T16

    There are two different ways to implement HA on Azure, either Active/Passive, or Active/Active. Active/Passive closely resembles Active/Passive of a SonicWall appliance with the exception that the new primary has to signal to Azure that it is the primary to move the VIP (Virtual IP Addresses) – there are no MAC addresses in Azure. Likewise, the HA link needs to be terminated on L3 interfaces because of the lack of multicast support in Azure. Active/Passive HA supports both SPI state synchronization and config sync. As with other virtual firewall implementations of stateful high availability, failover may take several minutes. The solution to slow failover is to deploy the NSv instance in Active/Active. Likewise in the non-virtual world, Active/Active does not support Stateful Packet Inspection (SPI) state sync, although this may not be as important anymore in a world of Deep Packet Inspection (DPI). But unlike Active/Active on a SonicWall hardware appliance, config sync is also not supported. HA Active/Active is more an architecture than a feature, and has some similarities to the Firewall Sandwich (FSW). An outside load balancer, preferably the Microsoft Azure Load Balancer, is used to direct traffic on the WAN side to one or multiple Active/Active high availability pairs. On egress, the NSv marks flows by swapping the src-ip with dynamic NAT. Config sync can be achieved via inheritance on Global Management Server (GMS) or Capture Security Center (CSC).

    For more info see the NSv on Azure start guide;


  • T16T16 Newbie ✭

    Appreciate the comment!

    The on-prem firewalls we have in active-passive failover instantly it seems, is this different for the NSVs?

    A few seconds or the odd ping is "OK" I guess, but anything measured with "up to minutes" is a 100% no go for us!

    If that really is the case, then it will be the active-active for us. Would we be able to load balance both ends despite the dynamic nat on the appliances? So an LB on the front end for incoming traffic, and a LB on the back end to balance outgoing traffic over each appliance...?

    Thank you :)

  • @T16 , A/P in Azure will failover around 3-5 minutes. This is mainly on the Azure side since we have to use API's to move the secondary interfaces between hosts. It does not work like hardware HA since Azure does not support multiple devices simultaneously having the same IP on the same subnet and failing over in milliseconds using gratuitous arp etc..

  • ManuelManuel Newbie ✭

    Is there already any better solution for HA? As i can see NSv is not available as Active/Active.

  • I think this is the Doc for Active/Active - as usual the Sonciwall Azure documentation is terrible.

    https://www.sonicwall.com/support/knowledge-base/how-to-deploy-sonicwall-nsv-high-availability-using-azure-load-balancers/200819091250063/

  • ManuelManuel Newbie ✭

    okay, thats an Active Active construct, with manual sync of the configuration....


    "Microsoft does not support L2 HA deployment and requires manually Sync by importing the .exp file every time from NSv_Azure_HA-01 to NSv_Azure_HA-02 or with the help of Cloud GMS."


    I was hoping to get a better solution...

  • ManuelManuel Newbie ✭

    Does the available HA Deployment have the API request already included? If not, where and how it need to be configured?

  • If I recall correctly from a discussion with support, the API call is built into the Firmware of the NSv. It is not configurable.

  • ManuelManuel Newbie ✭

    But how i can check this, since my HA environment is not siwtiching the IP address.

  • @Manuel, are the two units deployed in the same resource group with the identity and permissions?

    Please see https://www.sonicwall.com/techdocs/pdf/nsv-series-on-azure-6-5-4-getting-started-guide.pdf on page 16-20. It is on the older UI but the concepts are the same.

  • ManuelManuel Newbie ✭

    @MasterRoshi Yes i did everything like it is described in the manual, this is also part of the newest HA Deployment script. Hmm, what i did to test the failover, was the manual failover process inside the Firewall Cluster under HA Advanced settings, maybe this is not triggering the API?

  • cjaccjac Newbie ✭

    Hi all, I hope you all are doing fine.

    Would there be any update or progress regarding this?

    We're also looking into the SonicWall HA A/A or A/P setup but the official information is still pretty high level.

    Mainly interested in processing of multiple public IP's and the amount of downtime during a (un)planned failover.

    @Sbarrett @MasterRoshi

    Thanks a lot!

  • SbarrettSbarrett Newbie ✭

    I finally got around to trying out the Active/Active setup in Azure. In short it wan't a workable solution for me (and I suspect most who will try implement it)

    I Spent a week working with support, pointing out all the flaws in the Deployment template to them ( Note: you will need to attach the NSG to X1 interfaces and enable IP forwarding on X0 interfaces, took me some time to find these). The Sonicwall Documentation as per usual was useless as an aid to troubleshooting.

    When I finally got it working, I found entering the Config Twice on each instance extremely irritating, and prone to encouraging error in entry. Simply copying the config wont work because the NAT rules are necessarily unique to each instance.

    Also DO NOT forget the NAT rule for traffic leaving X0, I admit I overlooked that at the start.

    Then finally the deal breaker. Adding a VPN to another location just does not work, as we cannot control, or weight the traffic on the Azure Load Balancers in any way. If we had a True stateful HA, this would be dealt with by enabling asymmetric routing, but in a design like this, when unexpected traffic arrives to the wrong firewall, the firewall simply says no, not happening.

    This could probably be made work with BGP routing, weighting and probing, between the two local instances, but lifes too short.

    I will continue a single firewall from this point on. With my nightly snapshots of the NSV disk in Azure, which laughably, is quicker to restore than the failover of the Active Passive method of HA Sonicwall provides for NSVs in Azure.


    I note other providers (Fortinet, Palo Alto) now provide True HA in Azure via the Azure Gateway Load Balancer, which is based on VXLAN. It is regrettable that Sonicwall has no such solution for azure.

Sign In or Register to comment.