Sonicwall HA Stateful and Non-Stateful High Availability Prerequisites

Stateful and Non-Stateful High Availability Prerequisites

Resolution

Stateful and Non-Stateful High Availability Prerequisites

• The Primary and Backup appliances must be the same model. Mixing and matching SonicWalls of different hardware types is not currently supported.

• It is mandatory that the Primary and Backup appliances run the same version of SonicOS Enhanced firmware; system instability may result if firmware versions are out of sync, and all High Availability features may not function completely. High Availability is only supported on the SonicWall security appliances running SonicOS Enhanced. It is not supported in any version of SonicOS Standard.

• Both units must be registered and associated as a High Availability pair on MySonicWall before physically connecting them.

• The WAN virtual IP address and interfaces must use static IP addresses.
Warning: SonicWall High Availability does not support dynamic IP address assignment from your ISP.
• Three LAN IP addresses are required:

–LAN Virtual IP Address – Configured on the X0 interface of the Primary unit. This is the default gateway for all devices configured on the LAN. Accessing the management interface with this IP address will log you into the appliance that is Active whether it is the Primary unit or Backup unit.

–Primary LAN Management IP Address – Configured under High Availability > Monitoring. This is the IP address used for managing the Primary unit over the LAN interface, regardless of the Active or Idle status of the unit.

–Backup LAN Management IP Address – Configured under High Availability > Monitoring. This is the IP address used for managing the Backup unit over the LAN interface, regardless of the Active or Idle status of the unit.

• At least one WAN IP address is required:

–WAN Virtual IP Address – Configured on the X1 Interface of the Primary unit. Accessing the management interface with this IP address will log you into the appliance that is Active whether it is the Primary unit or Backup unit

–Primary WAN Management IP Address (Optional) – Configured under High Availability > Monitoring. This is the IP address used for managing the Primary unit over the WAN interface, regardless of the Active or Idle status of the unit. This requires that you have an additional routable IP address available. This is optional, as you can always manage the Active unit with one static WAN IP address.

–Backup WAN Management IP Address (Optional) – Configured under High Availability > Monitoring. This is the IP address used for managing the Backup unit over the WAN interface, regardless of the Active or Idle status of the unit. This requires that you have an additional routable IP address available. This is optional, as you can always manage the Active unit with one static WAN IP address.

If using only a single WAN IP, note that the Backup device, when in Idle mode, will not be able to use NTP to synchronize its internal clock.

If you will not be using Primary/Backup WAN Management IP address, make sure each entry field is set to ‘0.0.0.0’ (in the High Availability > Monitoring Page) – the SonicWall will report an error if the field is left blank.

If each SonicWall has a Primary/Backup WAN Management IP address for remote management, the WAN IP addresses must be in the same subnet. If shifting a previously assigned interface to act as a unique WAN interface, be sure to remove any custom NAT policies that were associated with that interface before configuring it.

The following figure shows an example of how to connect two SonicWall security appliances for Stateful High Availability. The units are connected with their designated HA ports.

Image

The LAN (X0) interfaces are connected to a switch on the LAN network. The WAN (X1) interfaces are connected to another switch, which connects to the Internet. The designated high availability interfaces are connected directly to each other using a crossover cable.
Note: If you are connecting the Primary and Backup appliances to an Ethernet switch that uses the spanning tree protocol, be aware that it may be necessary to adjust the link activation time on the switch port to which the SonicWall interfaces connect. For example, on a Cisco Catalyst-series switch, it is necessary to activate spanning tree port fast for each port connecting to the SonicWall security appliance’s interfaces.

Initial High Availability Setup

Before you begin the configuration of High Availability on the Primary SonicWall security appliance, perform the following initial setup procedures.

• Register and associate the Primary and Backup SonicWall security appliances as a High Availability pair on MySonicWall, refer the following articles:

– “Associating an Appliance at First Registration” refer Associating an Appliance at First Registration on MySonicWALL for High Availability? 
– “Associating Pre-Registered Appliances” refer How to Associate Pre-Registered Appliances on MySonicWALL for High Availability 
– “Associating a New Unit to a Pre-Registered Appliance” refer Associating a New Unit to a Pre-Registered Appliance on MySonicWall for High Availability
– “Removing an HA Association” refer How to Remove an High Availability (HA) association on the Mysonicwall.com?
– “Replacing a SonicWall Security Appliance” refer How to Replace a Primary or Secondary High Availability (HA) unit?

• On the back of the Backup SonicWall security appliance, locate the serial number and write the number down. You need to enter this number in the High Availability > Settings page.

• Make sure that the two appliances are running the same SonicOS Enhanced versions.

• Make sure Primary SonicWall and Backup SonicWall security appliance’s LAN, WAN, and other interfaces are properly configured for seamless failover.

• Connect the Primary SonicWall and Backup SonicWall appliances with a CAT5 or CAT6-rated crossover cable. The Primary and Backup SonicWall security appliances must have a dedicated connection between each other for High Availability. SonicWall recommends cross-connecting the two together using a CAT5/6 crossover Ethernet cable, but a connection using a dedicated 100Mbps hub/switch is also acceptable. The following table shows which interface to use for the various SonicWall security appliance platforms.

 

Platform
Interface for High Availability
TZ 210, TZ 210 Wireless
X6
PRO 2040
X3
PRO 3060/4060/4100/5060
X5
NSA 240
X8
NSA 2400, 3500, 4500, 5000
X5
NSA E5500, E6500, E7500
HA port

 

• Power up the Primary appliance, and then power on the Backup appliance.

• Do not make any configuration to the Primary’s High Availability interface; the High Availability programming in an upcoming step takes care of this issue. See “Configuring High Availability in SonicOS Enhanced”. When done, disconnect the workstation.

Was this article helpful?

Yes No

Related Articles

Leave A Comment?

You must be logged in to post a comment.