Includes: SonicWAL NSA 220 Stateful HA High Availability and Expansion Upgrade, must be paired with a standard NSA 220 appliance, License (activation) upgrade
What is Stateful High Availability?
The original version of SonicOS Enhanced provided a basic High Availability feature where a Backup firewall assumes the interface IP addresses of the configured interfaces when the Primary unit fails. Upon failover, layer 2 broadcasts are issued (ARP) to inform the network that the IP addresses are now owned by the Backup unit. All pre-existing network connections must be rebuilt. For example, Telnet and FTP sessions must be re-established and VPN tunnels must be renegotiated.
Stateful High Availability (SHA) provides dramatically improved failover performance. The Primary and Backup appliances are continuously synchronized so that the Backup can seamlessly assume all network responsibilities if the Primary appliance fails, with no interruptions to existing network connections.
Stateful High Availability provides the following benefits:
• Improved reliability - By synchronizing most critical network connection information, Stateful High Availability prevents down time and dropped connections in case of appliance failure.
• Faster failover performance - By maintaining continuous synchronization between the Primary and Backup appliances, Stateful High Availability enables the Backup appliance to take over in case of a failure with virtually no down time or loss of network connections.
• Minimal impact on CPU performance - Typically less than 1% usage.
• Minimal impact on bandwidth - Transmission of synchronization data is throttled so as not interfere with other data.
How Does Stateful High Availability Work?
Stateful High Availability is not load-balancing. It is an active-idle configuration where the Primary appliance handles all traffic. When Stateful High Availability is enabled, the Primary appliance actively communicates with the Backup to update most network connection information. As the Primary appliance creates and updates network connection information (VPN tunnels, active users, connection cache entries, etc.), it immediately informs the Backup appliance. This ensures that the Backup appliance is always ready to transition to the Active state without dropping any connections.
The synchronization traffic is throttled to ensure that it does not interfere with regular network traffic. All configuration changes are performed on the Primary appliance and automatically propagated to the Backup appliance. The High Availability pair uses the same LAN and WAN IP addresses—regardless of which appliance is currently Active.
When using SonicWALL Global Management System (GMS) to manage the appliances, GMS logs into the shared WAN IP address. In case of a failover, GMS administration continues seamlessly, and GMS administrators currently logged into the appliance will not be logged out, however Get and Post commands may result in a timeout with no reply returned.
Stateful and Non-Stateful High Availability Prerequisites
Your network environment must meet the following prerequisites before configuring Stateful High Availability or non-stateful High Availability:
| • ||The Primary and Backup appliances must be the same model. Mixing and matching SonicWALLs of different hardware types is not currently supported.|
| • ||It is strongly recommended that the Primary and Backup appliances run the same version of SonicOS Enhanced firmware; system instability may result if firmware versions are out of sync, and all High Availability features may not function completely. High Availability is only supported on the SonicWALL security appliances running SonicOS Enhanced. It is not supported in any version of SonicOS Standard.|
| • ||On SonicWALL appliances that support the PortShield feature (SonicWALL TZ series and NSA 240), High Availability can only be enabled if PortShield is disabled on all interfaces of both the Primary and Backup appliances.|
| • ||Both units must be registered and associated as a High Availability pair on MySonicWALL before physically connecting them.|
| • ||The WAN virtual IP address and interfaces must use static IP addresses.|
| Warning ||SonicWALL High Availability does not support dynamic IP address assignment from your ISP.|
| • ||Three LAN IP addresses are required:|
| – ||LAN Virtual IP Address - Configured on the X0 interface of the Primary unit. This is the default gateway for all devices configured on the LAN. Accessing the management interface with this IP address will log you into the appliance that is Active whether it is the Primary unit or Backup unit.|
| – ||Primary LAN Management IP Address - Configured under High Availability > Monitoring. This is the IP address used for managing the Primary unit over the LAN interface, regardless of the Active or Idle status of the unit.|
| – ||Backup LAN Management IP Address - Configured under High Availability > Monitoring. This is the IP address used for managing the Backup unit over the LAN interface, regardless of the Active or Idle status of the unit.|
| • ||At least one WAN IP address is required:|
| – ||WAN Virtual IP Address - Configured on the X1 Interface of the Primary unit. Accessing the management interface with this IP address will log you into the appliance that is Active whether it is the Primary unit or Backup unit|
| – ||Primary WAN Management IP Address (Optional) - Configured under High Availability > Monitoring. This is the IP address used for managing the Primary unit over the WAN interface, regardless of the Active or Idle status of the unit. This requires that you have an additional routable IP address available. This is optional, as you can always manage the Active unit with one static WAN IP address.|
| – ||Backup WAN Management IP Address (Optional) - Configured under High Availability > Monitoring. This is the IP address used for managing the Backup unit over the WAN interface, regardless of the Active or Idle status of the unit. This requires that you have an additional routable IP address available. This is optional, as you can always manage the Active unit with one static WAN IP address.|
If using only a single WAN IP, note that the Backup device, when in Idle mode, will not be able to use NTP to synchronize its internal clock.
| Note ||When HA Monitoring/Management IP addresses are configured only on WAN interfaces, they need to be configured on all the WAN interfaces for which a Virtual IP address has been configured.|
If you will not be using Primary/Backup WAN Management IP address, make sure each entry field is set to ‘0.0.0.0’ (in the High Availability > Monitoring Page) – the SonicWALL will report an error if the field is left blank.
| Note ||If each SonicWALL has a Primary/Backup WAN Management IP address for remote management, the WAN IP addresses must be in the same subnet. If shifting a previously assigned interface to act as a unique WAN interface, be sure to remove any custom NAT policies that were associated with that interface before configuring it.|