Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


No ping response from standby firewall in HA pair

Good morning all,

I have TZ500 HA pairs set up at several sites and the basic config is the same across all of them; however at one site I can get ping responses from the active firewall on both the gateway IP address and the firewall IP address but I can't get a ping response from the standby firewall on its IP address.

So, the gateway is on

Primary is on

Secondary is on

If the primary is 'active' then I can get a ping response from & but not

If the secondary is active then I can get a ping response from & but not

This is only an issue at the one site and I can't see anything in the config that would cause this. Any thoughts from you guys/gals would be much appreciated.

Category: Entry Level Firewalls

Best Answer

  • Options
    RobbertRobbert Newbie ✭
    edited August 2022 Answer ✓

    we had this exact issue!

    below fixed it!


    In some cases, not able to access High availability idle device using monitoring IP address. This article describes adding necessary rules to get access to the standby/idle unit using it's monitoring IP



    Need to create below NAT policies on High availability Active device in order to access ideal device using monitoring IP address.


    Original source             :Any

    Translated source         :HF Backup X0IP

    Original Destination      :HF Primary X0 IP

    Translated Destination  :Original

    Original Service            :Any (ICMP/HTTP management/HTTPS management)

    Translated Service        :Original

    Inbound Interface          :Any

    Outbound Interface        :X0


    Original source              : Any

    Translated source          :HF Primary X0 IP

    Original Destination       :HF Backup X0IP

    Translated Destination   :Original

    Original Service             :Any (ICMP/HTTP management/HTTPS management)

    Translated Destination   :Original

    Inbound Interface           :Any

    Outbound Interface         :X0



  • Options
    AjishlalAjishlal Community Legend ✭✭✭✭✭


    For resolving the ping issue with secondary unit, Create a static ARP entry for the secondary unit.

    Navigate to Network-->ARP-->Add-->Static ARP entries.

    NB: Interface should be your LAN interface. ( You will be get the secondary unit MAC from ARP Cache.)

  • Options
    SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    By design the inactive firewall doesn't respond to traffic coming from a different subnet. So either a NAT rule or same-subnet probing is needed.

  • Options
    GeraintGeraint Newbie ✭

    Thank you all for your very helpful responses, much appreciated and this issue has been resolved with the NAT rule as per Robbert's link.

    The ping testing was done on the same subnet but still failed.

    This used to work OK until the other day when it just stopped working, noticed a couple of days after a firmware upgrade to but this was OK at other sites.

    The two top rules below are the default rules but are no longer working as expected. The two bottom rules are the custom rules which are working.

    Thanks all.

  • Options
    RobbertRobbert Newbie ✭

    make sure to enable removal of default rules in the diag page and then remove the broken rules and then disable removal of default rules in the diag page again :)

Sign In or Register to comment.