Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

site to site VPN failover tz600

chadwhittingtonchadwhittington Newbie ✭
edited January 2023 in Entry Level Firewalls

I have a site to site vpn on an existing fiber internet connection X1. It is pretty stable but recently it has gone down a few times.

I added a failover WAN on X5 and setup failover and load balancing for internet based system. the printing portion of this system requires a site to site VPN connection

Question is: if the X1 interface goes down how do i fail over to X5 WAN. The site to site is IKE using preshared key

Local IKE ID is set to my x1 ip address and the peer is the remote. VPN policy is bound to X1 interface. routes to destination network 10.200.8.104/255.255.255.248

Can i just create another site to site vpn pointing to the same external subnet 10.200.8.104/255.255.255.248? with the IKE ID set to x5 with peer as same remote? i really only wan this route active is primary goes down

firmware is currently 6.2.7.0-19n

Category: Entry Level Firewalls
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Upgrade your firmware version, that one is ancient.

    You cannot add a second tunnel to the same subnet.

    Do you have control over the other S2S VPN gateway? You'll need to add the new second ISP WAN interface static IP as a secondary gateway for the tunnel.

    IKE ID doesn't matter as long as it matches both ends, BUT you'd need to change the policy is bound to Zone WAN, not a specific interface. If it's not Zone WAN it won't fail-over when X1 goes down.

    All that said VPN failovers are NOT always instantaneous or graceful. Do some testing and tweak your lifetimes if needed. Prefer IKEv2.

  • Hello Chad.

    On SonicWall firewalls, Site to Site VPNs are tipically bound to WAN Group, which means that each interface assigned to WAN Zone will be used to establish VPN.

    There is an interesting behaviour when you use both IP Address fields on Site to Site VPNs: SonicWall firewalls do some kind of load balancing, distributing traffic across both IP addresses. In this scenario, there is no way to control traffic flow or to do some sort of routing control or prioritize traffic to be handled by a specific ISP.

    To bypass this behaviour I use Tunnel Interfaces.

    Tunnel Interfaces enables you to specify routes and, so, create a very controlled priorization and failover scenario.

    Hope I have helped.

    Best regards!

Sign In or Register to comment.