1

so in short, new boss wants me to set up our sonicwalls for HA, but given our circumstances, i dont think its possible. Any suggestions?

We have 2 buildings on site. Each has a sonicwall nsa3600... ONE per building. Currently, theres a fiber line running from one to the other to connect the two buildings. Each sonicwalls wan interface is connected to its own line to the internet. Finally, each lan interface on each sonicwall is connected to its own switch stack.

Now here's the problem. When looking at documentation for setting up ha, I know you need to have a direct connection between the two units via a crossover cable. That we don't have in place spanning the two buildings. SECONDLY, it sounds to me that we would need 2 more additional nsa3600 units to have an active unit and standby unit in each building. You can't have 2 units both actively routing traffic setup with each other for HA, right?

I knew this sounded impossible from the get go, but I just needed some receipts and verification before I tell him no can do. Thanks

d34db33f
  • 98
  • 1
  • 8

2 Answers2

0

You have two site, so I doubt you can mirror the network between them. You will need two more NSA3600 to have an HA pair in each site.

From the manual... https://www.sonicwall.com/support/technical-documentation/sonicos-6-5-system-setup.pdf

High Availability (HA) is a redundancy design that allows two identical SonicWall Security Appliances running SonicOS to be configured to provide a reliable, continuous connection to the public Internet. One SonicWall SuperMassive is configured as the Primary unit, and an identical Security Appliance is configured as the Secondary unit. If the Primary Security Appliance fails, the Secondary Security Appliance takes over to secure a reliable connection between the protected network and the Internet. Two Security Appliances configured in this way are also known as a High Availability Pair (HA Pair).High Availability provides a way to share SonicWall licenses between two SonicWall Security Appliances when one is acting as a high-availability system for the other. Both Security Appliances must be the same SonicWall model.

Hernan Petrevcic
  • 26
  • 3
  • This is the discussioin I've had with my boss countless times, and my opinion from the beginning... to simply buy more NSA's and have a pair of each, one primary one secondary, in each building. He does not know what he's talking about and insists we do it with only 1 in each building. So, as of now, we have a hodge-podge setup where one building is primary the other is secondary... all traffic for both buildings flows out of 1 of the buildings... if building #1 fails, building 2 takes over and traffic then flows back to building 2, then back to building 1 and out. It's so dumb. – d34db33f Oct 25 '19 at 13:17
0

Your boss misuse a concept, he want a redundant WAN connection, or redundant head office router ?

This is not the same, as a redundant WAN connection mean your MX or such external DNS entry would not match your WAN#2 vs WAN#1 IP address.

For emergency you could setup a backup WAN using any of those two sonicwalls, but you would need Cisco gear in between with preferred route that would load balance if one of those sonicwall die, thus that question would better fit on network engineering, as it's complex to do. I did it for one customer and he had another appliance that updated the DNS entry when the link change.

For HA you need the crossover cable, and one become active and the other inactive, waiting to take over and they both share the network stack so nothing got dropped if one device die.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50