Filter
Top Products
66
SONICWALL SONICOS ENHANCED 2.5 ADMINISTRATOR’S GUIDE
C
HAPTER
10:
Setting Up WAN Failover and Load Balancing
• Per Destination Round-Robin: When this setting is selected, the SonicWALL security appliance
load-balances outgoing traffic on a per-destination basis. This is a simple load balancing method
and, though not very granular, allows you to utilize both links in a basic fashion (instead of the
method above, which does not utilize the capability of the Secondary WAN until the Primary WAN
has failed). The SonicWALL security appliance needs to examine outbound flows for uniqueness
in source IP and destination IP and make the determination as to which interface to send the traffic
out of and accept it back on. Please note this feature will be overridden by specific static route
entries.
• Spillover-Based: When this settings is selected, the user can specify when the SonicWALL
security appliance starts sending traffic through the Secondary WAN interface. This method allows
you to control when and if the Secondary interface is used. This method is used if you do not want
outbound traffic sent across the Secondary WAN unless the Primary WAN is overloaded. The
SonicWALL security appliance has a non-Management Interface exposed hold timer set to 20
seconds – if the sustained outbound traffic across the Primary WAN interface exceeds the
administrator defined Kbps, then the SonicWALL security appliance spills outbound traffic to the
Secondary WAN interface (on a per-destination basis). The user entry box should not have a
default entry and be left empty for the user. Please note this feature will be overridden by specific
static route entries.
• Percentage-Based: When this setting is selected, you can specify the percentages of traffic sent
through the Primary WAN and Secondary WAN interfaces. This method allows you to actively
utilize both Primary and Secondary WAN interfaces. Only one entry box is required (percentage
for Primary WAN), as the SonicWALL will auto-populate a non-user-editable entry box with the
remaining percentage assigned to the Secondary WAN interface. Please note this feature will be
overridden by specific static route entries.
Enabling WAN Probe Monitoring
If Probe Monitoring is not activated, the SonicWALL security appliance performs physical monitoring
only on the Primary and Secondary WAN interfaces, meaning it only marks a WAN interface as failed
if the interface is disconnected or stops receiving an Ethernet-layer signal. This is not an assured
means of link monitoring, because it does not address most failure scenarios, i.e. routing issues with
your ISP, or an upstream router that is no longer passing traffic. For example, if the WAN interface is
connected to a hub or switch, and the router providing the connection to the ISP (also connected to
this hub or switch) were to fail, the SonicWALL will continue to believe the WAN link is usable,
because the connection to the hub or switch is good.
Selecting Enabling Probe Monitoring on Network>WAN Failover & LB page allows the
SonicWALL security appliance to perform logical checks of upstream targets to ensure that the line is
indeed usable, eliminating this potential problem, as well as continue to do physical monitoring. If
Probe Monitoring is activated and the settings are left blank, the SonicWALL performs an ICMP ping
probe of both WAN ports’ default gateways. Unfortunately, this is also not an assured means of link
monitoring, because service interruption may be occurring farther upstream. If your ISP is
experiencing problems in its routing infrastructure, a successful ICMP ping of their router causes the
SonicWALL security appliance to believe the line is usable, when in fact it may not be able to pass
traffic to and from the public Internet at all.
To perform reliable link monitoring, you can choose ICMP or TCP as monitoring method, and can
specify up to two targets for each WAN port. TCP is preferred because many devices on the public
Internet now actively drop or block ICMP requests. If you specify two targets for each WAN interface,
you can logically link the two probe targets such that if either one fails the line will go down, or that
both must fail for the line to be considered down. Using the latter method, you can configure a sort of
‘deep check’ to see if the line is truly usable – for instance, you could set first probe target of your
ISP’s router interface using ICMP (assuming they allow this), and then do a secondary probe target of
a DNS server on the public Internet using TCP Port 53. With this method, if the ICMP probe of the
ISP’s router fails but the farther upstream continues to respond, the SonicWALL security appliance
assumes the link is usable and continue to send traffic across it.