Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

No ping response from standby firewall in HA pair

GeraintGeraint Newbie ✭
in Entry Level Firewalls

Good morning all,

I have TZ500 HA pairs set up at several sites and the basic config is the same across all of them; however at one site I can get ping responses from the active firewall on both the gateway IP address and the firewall IP address but I can't get a ping response from the standby firewall on its IP address.

So, the gateway is on xxx.xxx.xxx1

Primary is on xxx.xxx.xxx.200

Secondary is on xxx.xxx.xxx.201

If the primary is 'active' then I can get a ping response from xxx.xxx.xxx.1 & xxx.xxx.xxx.200 but not xxx.xxx.xxx.201

If the secondary is active then I can get a ping response from xxx.xxx.xxx.1 & xxx.xxx.xxx.201 but not xxx.xxx.xxx.200

This is only an issue at the one site and I can't see anything in the config that would cause this. Any thoughts from you guys/gals would be much appreciated.

Category: Entry Level Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    RobbertRobbert Newbie ✭
    edited August 2022 Answer ✓

    we had this exact issue!

    below fixed it!

    Description

    In some cases, not able to access High availability idle device using monitoring IP address. This article describes adding necessary rules to get access to the standby/idle unit using it's monitoring IP

    Resolution


    Resolution/Workaround:


    Need to create below NAT policies on High availability Active device in order to access ideal device using monitoring IP address.

     

    Original source             :Any

    Translated source         :HF Backup X0IP

    Original Destination      :HF Primary X0 IP

    Translated Destination  :Original

    Original Service            :Any (ICMP/HTTP management/HTTPS management)

    Translated Service        :Original

    Inbound Interface          :Any

    Outbound Interface        :X0


    and


    Original source              : Any

    Translated source          :HF Primary X0 IP

    Original Destination       :HF Backup X0IP

    Translated Destination   :Original

    Original Service             :Any (ICMP/HTTP management/HTTPS management)

    Translated Destination   :Original

    Inbound Interface           :Any

    Outbound Interface         :X0

    source: https://www.sonicwall.com/support/knowledge-base/unable-access-high-availability-idle-device-using-monitoring-ip-address/170504891383242/

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @Geraint

    For resolving the ping issue with secondary unit, Create a static ARP entry for the secondary unit.

    Navigate to Network-->ARP-->Add-->Static ARP entries.

    NB: Interface should be your LAN interface. ( You will be get the secondary unit MAC from ARP Cache.)

    image.png


  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    By design the inactive firewall doesn't respond to traffic coming from a different subnet. So either a NAT rule or same-subnet probing is needed.

  • GeraintGeraint Newbie ✭

    Thank you all for your very helpful responses, much appreciated and this issue has been resolved with the NAT rule as per Robbert's link.

    The ping testing was done on the same subnet but still failed.

    This used to work OK until the other day when it just stopped working, noticed a couple of days after a firmware upgrade to 6.5.4.10-95n but this was OK at other sites.

    The two top rules below are the default rules but are no longer working as expected. The two bottom rules are the custom rules which are working.

    Thanks all.

    image.png


  • RobbertRobbert Newbie ✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/15887#Comment_15887

    make sure to enable removal of default rules in the diag page and then remove the broken rules and then disable removal of default rules in the diag page again :)

Sign In or Register to comment.