High Availability: Idle / Standby appliance cannot pass traffic, WAN and LAN side.

03/26/2020 7 12635

DESCRIPTION:

You can notice by logging to the Idle / Standby unit that it cannot reach internet, the licensing servers or any host located behind the SonicWall. 
If you are going to System | Diagnostic | Check Network Settings, tick all boxes then clic Test All Selected all options will come back red. 

In a "best practice" environment where the HA pair is connected with the HA link, but connected as well into the same WAN switch and the same LAN switch. The switchports in the WAN switch where both X1 connect will be configured in the same VLAN. Same applies for X0 on the LAN switch.

CAUSE:

In the below exemple, both X1 of the Primary and Secondary are connected to switchports Fa0/3 and Fa0/4 on the WAN switch. Both are configured in the VLAN ID 10.

The same way, both X0 interfaces are connected to the same LAN switch on the switchports Fa0/5 and Fa0/6, configured in the VLAN ID 20.

There are some switch models that are able to learn only one MAC address per VLAN, from the switchport where the Active appliance is connected. The MAC address that is learned is the one displayed in the NSA High Availability->Monitoring->Interface X Monitoring Settings, under Virtual MAC.

RESOLUTION:

In the end that will only cause issues while troubleshooting from the Idle / Standby appliance, or to register it the first time or after a factory default because in an HA setup we only really need one appliance connected to internet. 

By failing over, the Secondary will become the active appliance and the Primary as Idle / Standby unit is the one that won't be able to pass traffic, LAN and WAN side, anymore.