Network Infrastructure Help/Advice Needed

busines4u

Here is my dilemma. We are currently implementing a fiber connection with a DSL/VPN connection as a backup. The issue that I am running into is that an ICMP redirect is causing the failover not to work as expected. This is because the fiber connection goes through an ISP and is configured with a private IP address. This fiber connection connects to our internal switch. From there it connects to the default gateway and out to the internet. Whenever a host communicates with this branch site via the fiber connection a route gets installed in the routing table due to an ICMP redirect message stating to use a different default gateway. Then whenever we simulate the failover the clients still try to communicate with the remote sites via the gateway that has failed. It has no way of knowing this and it just fails rather than sending it back to its default gateway to have it routed across the VPN tunnel. My question to all of you network/systems gurus out there is how can I get this setup and working so that the failover is automatic and the hosts at HQ are able to communicate with these remote devices once the DSL/VPN kicks in.

Some things that I have tested and tried were disabling ICMP redirects on the LAN interface of the SonicWall. This is not even possible on the SonicWall due to the zone that this interface is configured as. As per Design of the SonicWall there is no setting for this.

I have also tried to flush the routing table although this works, it defeats the purpose of having a secondary connection as all hosts would need to restart or flush their routing table. I would ideally like to have this process automatic so that downtime is minimal.

The majority of the machines running here as Mac OS X from 10.4-10.6. There are a few Windows machines but primary we use Mac's

Attached is a network diagram to get a better understanding.
I apologize in advance for my childish drawing. This was much easier to do rather than using anything computer aided.

Any help or advice is greatly appreciated.

it_consultant

Does the sonicwall that is connected via fiber and VPN truly support dual WAN? I am assuming the clients are using the internal interface of that (TZ 210) sonicwall as their default gateway, if the are not, they should be. If the Sonicwall truly is multi wan capable it will detect the failed route and delete it from the routing table and go to backup.

I would like to see the route from the WAN int. on the branch side of the fibre. I feel like this thing is bridging somehow - what your saying is that the clients themselves discover a better gateway (the gateway of the giant Sonicwall) and modify their own next hop router address to something that is two hops down. I have not seen this behavior. What happens if you configure a client with a static IP + gateway and you pull the fibre plug, does that computer failover properly?

Bl8ckr0uter

it_consultant wrote: »

Does the sonicwall that is connected via fiber and VPN truly support dual WAN? I am assuming the clients are using the internal interface of that (TZ 210) sonicwall as their default gateway, if the are not, they should be. If the Sonicwall truly is multi wan capable it will detect the failed route and delete it from the routing table and go to backup.

TZ 210 does support failover (Active passive). I actually have one sitting on my desk right now.
Network Security, Firewall & Wireless - TZ 210 Series Appliance Details - SonicWALL, Inc.

I see. I understand your problem now. Hmm, I am thinking maybe using virtual interfaces but I will look into this later on tonight. I need an excuse to take this bad boy home with me.

EDIT: Hey is your TZ210 in transparent mode? Because if not I found your answer.

it_consultant

The TZ210 does support multi-WAN (I looked it up on their website) but I was wondering if that feature was licensed and enabled. I've never used multi-WAN on sonicwalls, only on WGs and Ciscos.

What do you think is going on here?

cablegod

it_consultant wrote: »

The TZ210 does support multi-WAN (I looked it up on their website) but I was wondering if that feature was licensed and enabled. I've never used multi-WAN on sonicwalls, only on WGs and Ciscos.

What do you think is going on here?

I remember from my Sonicwall experience years ago to get Multi-WAN working required a license upgrade to the "Advanced" feature set.

busines4u

The tz 210 is not in transparent mode. I have it setup for active/passive failover which works properly. The problem lies within the headquarters office where the redirect is occuring.

The failover is working as it should from the branch office side it, apart from the vpn taking some time to come up, but that is the least of my worries at this point

I'm primarily concerned with our servers installing these routes from the ping redirect as the traffic will route to the fiber gateway which would be down when the failover kicks in

it_consultant

I have to ask because I am hazy on this, why are the servers setting up routes at all? They should have a 0.0.0.0 route to the TZ 210 and thats it. Once the TZ 210 detects the failure it will erase the bad route - so it shouldn't matter who is redirecting where. We need to "step" on the router closest to the concerned network, this TZ 210 to be exact. The router in the main office should have 2 static routes weighted such that the fibre connection is tried first, then the VPN, sort of poor mans HSRP.

busines4u

The servers are located at the headquarters where the larger sonicwall is located, the default route is installed correctly but once the traffic goes from HQ to the branch a route gets installed on the servers due to the ping redirect.

it_consultant

What are the OS' of the servers? Can we disable the learning route behavior? I remember having this problem with SSL VPNs as a matter of fact, Windows would learn a bad route an screw things up. If you statically enter the routes to the remote office with weights I wonder if that would help. As it is now, the servers are only learning the Fiber route and are holding that in their routing table for as long as the cache is set for. That gives me another idea, can we set a the timeout on the dynamic routes to something like 2 seconds...

busines4u

The OS' of the servers run Server 2003/2008, OS X Server and even some Windows XP / Mac OS X Client Operating Systems. We could potentially disable the learning of the route behavior but this would be a lot of changes to make to many servers. The routes are installed statically on the main SonicWall and knows how to route the traffic when the fiber is up as well as well the VPN is up. Its just a matter of forcing the clients to have the SonicWall route all this traffic for them. Making changes on the servers will work I believe, but i was hoping that there would be something that i could do network-wise to correct this issue.

darkerosxx

knwminus wrote: »

TZ 210 does support failover (Active passive). I actually have one sitting on my desk right now.
Network Security, Firewall & Wireless - TZ 210 Series Appliance Details - SonicWALL, Inc.

I see. I understand your problem now. Hmm, I am thinking maybe using virtual interfaces but I will look into this later on tonight. I need an excuse to take this bad boy home with me.

EDIT: Hey is your TZ210 in transparent mode? Because if not I found your answer.

Yeah, router on a stick "sticks" out to me, pardon the pun.