Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Secondary sonicwall inaccessible

djhurt1djhurt1 Enthusiast ✭✭

We have a pair of Sonicwalls in Active/Standby mode. According to the monitoring settings page, the Ip address listed for primary Ip address and secondary Ip address appear wrong. For example I access the primary sonicwalls web interface via 10.0.02 address and the Primary Ip address listed in the HA monitoring settings is 10.0.03. The secondary IP is listed as 10.0.0.4. Neither one of those Ip addresses in the monitoring settings reply to ping. Furthermore during a support session recently, the primary sonicwall crashed and rebooted causing a failover to the secondary. The secondarys web interface came up in my browser as the same Ip as the primary, 10.0.0.2. I only knew it was the secondary because the top of the page it stated logged into secondary sonicwall. So my question is what is the purpose of the primary and secondary Ip address in the monitoring settings? I assumed it's for the devices to ping each other regularly to query if they're up but in the sonicwall documentation it appears that both primary and secondary ping a seperate device and that's what decides if a failover occurs so I'm confused. Also can someone confirm that the secondary sonicwalls web interface should be accessible while it's in standby mode?

Category: High End Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    shiprasahu93shiprasahu93 Moderator
    Answer ✓

    Hello @djhurt1,

    With the monitoring IP addresses configured, the active firewall is always reachable through the IP address configured on the interface.

    The primary/secondary monitoring IP should always take you to the primary/secondary device respectively irrespective of their state i.e., active/standby.

    So, in your case, I feel there is something either not set right, or there are some ARP mismatches. The monitoring IP for secondary should always take you to the secondary device even if it is in an active state.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Answers

  • djhurt1djhurt1 Enthusiast ✭✭

    @shiprasahu93


    I believe someone has neglected to set a seperate management Ip on our secondary sonicwall. We're going to failover this afternoon to change that. I have a couple questions I hope you can answer?


    Our core switch does our routing and has sonciwall Ip as gateway. X16 is our gateway port and both sonicwalls have the same Ip assigned to X16. This is best practice? I ask because obviously we want the gateway to remain the same when a failover occurs so I'm just confirming this as I don't see any other way to do it myself.


    Secondly, the documentation suggests that X0 be connected. Ours is not. We have X6 and X7 as our HA control and Data interfaces. If patch X0 on both units together, do I still need to set a monitoring Ip? Do I need to set an Ip on X0 at all? The reason I ask is because our sonicwall is currently configured to monitor the Ip of our core switch which would be found on X16.

  • djhurt1djhurt1 Enthusiast ✭✭

    Reading this article https://www.sonicwall.com/support/knowledge-base/tips-for-high-availability-ha-setup/170504379328065/


    I feel a bit ignorant reading this statement:

    7.MGMT interfaces and HA: The ACTIVE unit will always listen on what is configured for the MGMT interface on the Manage | Network | Interfaces page | "IP Address (Primary)". Likewise, the IDLE unit will only respond to the "IP Address (Secondary)". If the "HA" / "Secondary" unit becomes ACTIVE due to a failover event it will respond to what is configured as the "IP Address (Primary)".

    • This follows different logic from the other interfaces where you have the 3 IP addresses: the single "virtual" IP that is configured on the interface at Manage | Network | Interfaces which is always the IP the ACTIVE unit responds to and then the 2 Monitoring IPs configured in Manage | High Availability | Monitoring | [interface edit] | "Primary IPv4 Address" and "Secondary IPv4 Address" where the "Primary IPv4 Address" always stays with the "Primary Unit" regardless whether it is active or idle and the "Secondary IPv4 Address" always stays with the "HA"/"Secondary" unit whether it is active or idle.

    Where is the "virtaul Ip" it's referring to configured? As far as I can see there is simply Ip addresses, but nothing that specifically specifies it as virtual.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    the "virtual" IP address is the address you assigned under Network -> Interfaces, the dedicated Primary and Secondary IP addresses are defined in HA -> Monitoring for earch Interface and should be therefore in the same subnet as the "virtual" IP.

    I'ts called virtual, because it can be either active on the primary or the secondary unit, depending on the HA state.

    --Michael@BWC

  • @djhurt1,

    At all times both the firewalls should have exactly the same IP addresses assigned on each of the interfaces. This itself is the virtual IP. This is done so that during the failover, the IP addresses remain the same.

    Also, the X0 interface acts as a backup HA link if the actual Control HA link fails. That is the reason it is advised to have that connected.

    Point 7 in the KB refers to the interface labeled as MGMT, and how its behavior is different from others.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • djhurt1djhurt1 Enthusiast ✭✭

    @BWC


    Should there be an interface there labeled as virtual? I see where one can add a "virtual" interface. I suspect this is what is throwing me off because we have no interfaces labeled as virtual. This was setup years ago by Dell and pre-dates my time here. I'm trying to sort it all out.

  • djhurt1djhurt1 Enthusiast ✭✭
  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1 if we're talking HA then the term Virtual Interface isn't a real setting, it's just the active Interface. Don't get it confused with the real Virtual Interface which is a VLAN Interface.

    Like mentioned before, Network -> Interfaces holds the active Appliance IP (Cluster IP), which could be either primary or secondary Appliance. The HA settings the individual addresses vor Primary and Secondary Appliances (if configured). Each Interface could have up to 3 IP addresses in total.

    --Michael@BWC

  • djhurt1djhurt1 Enthusiast ✭✭

    @BWC


    One thing that's still confusing me then is the situation I'm facing currently. Right now we can't access the secondary firewall when it's in standby mode however documentation states we should be able to if we set a management Ip. So it appears currently both primary and secondary are configured identically. It appears I need to set a unique Ip on one of the interfaces on each firewall so either firewall can be accessed whether it's in active or standby mode. Can you offer what would be best practice in this scenario? I previously failed over the primary and accessed the secondary and attempted this but I suspect that although the web interface said I was connected to secondary, I actually configured the interface for both as I was using the common Ip which is what I believe you all are referring to as the "virtual" Ip.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    Network -> Inteface is the common unique IP for the active appliance, let's assume the X0 IP is 10.4.16.1 then the HA -> Monitoring Addresses for X0 could be as following:

    Primary will be available from the X0 via 10.4.16.14 and the Secondary via 10.4.16.15.

    Just to make sure that you're accessing the Firewall from the same subnet (10.4.16.0/24), otherwise you need additional Management Access Rules.

    --Michael@BWC

Sign In or Register to comment.