Previous 1 2 Next 18 Replies Latest reply: Aug 21, 2012 6:05 PM by DefaultIT
Thomas Moy1 Level 1 (5 points)
I spent the last two weeks working on this with SonicWALL support, so I thought I would post the solution.

Our office found that our SonicWALL Pro 2040 began interfering with secure downloads within apps somewhere in late July 2010. Things like Gmail attachments (over https), iTunes purchases and downloads, Apple Software Update downloads, and other in-app updates and downloads. These would load up ~1MB at full internet speed, then slow to a trickle or virtually stop. Maybe a few minutes later, the download would resume.

If I disabled the SonicWALL's security services, (Gateway Antivirus, Intrusion Prevention, Anti-Spyware), the problem would go away. We went as far as upgrading our Pro 2040 to the latest NS 2400, and it too came with the same issue the moment we turned on the security services.

The fix was not available in the Pro 2040's Enhanced (4.2.1.0-20e) firmware. But the NS 2400 with the latest Enhanced firmware (5.5.2.1-5o) has a hidden setting which can be ticked and it solved our problem. Login to the SonicWALL admin page, then change ending portion of the URL from /main.html to /diag.html. Click Internal Settings > Scroll down to Security Services Settings > the tick the Enable enforcement of a limit on maximum allowed advertised TCP window with any DPI-based service enabled.

That's it. Hope this helps someone.

Mac Pro 2008, Mac OS X (10.6.4), SonicWALL vs. iTunes and Software Update
  • DLR Level 3 (680 points)
    were you having problems with just secure downloads?

    We are using the SonicWall Pro 2040 too and are having an issue with websites not loading properly or at all. The problem is not consistent and only happens on the Macs. It seems that page is loading so slow due to some filtering on the firewall that it times out. This is on all major browsers and versions (as far as I know).
  • Thomas Moy1 Level 1 (5 points)
    This one rings a bell too. Poke around in that diag.html page (okay, backup your system settings first!), and try ticking either of the following.

    Ignore malformed TCP headers
    Clear DF Bit (don't fragment)
    Enable TCP packet option tagging

    My (poor) memory thinks it's the first one that unleashed consistent downloads to our Macs. It's something their support staff guided me to last time, so if you're persistent with support, you could probably get it out of them.

    Good luck.
  • James Devaney Level 1 (25 points)
    Thank you for this, sonicwall was no help. My developer tools download just went from 6 days to 1 hour on the estimated download time.
  • jperez333 Level 1 (0 points)
    Hey guys,

    I am having the same problem with my environment, are there any other tips to help this problem. I did the diag.html trick, but it only boosted the download by 300Kbs. Your help is greatly appreciated.
  • Damon Betlow Level 1 (0 points)
    Thanks for this!

    I also had to call Sonicwall and get the diag.html fix (enable enforcement on TCP window and set the max allowed TCP window to 256.

    This fixed iTunes downloads and other downloads on Windows 7, but I started having issues with some sites like Skype and Yahoo not working with IE. I enabled the 3 ticks you mentioned and now everything appears to be working.
  • Damon Betlow Level 1 (0 points)
    Spoke too soon. It appears I had to set the max TCP window to 512 in order for the websites like Wikipedia, Yahoo, go.microsoft.com, and Skype to work reliably.

    "only boosted the download by 300Kbs"

    Are you sure it is kilobits per second and not kilobytes per second?

    300 KB/s (or 2.4 Mbps) is pretty darn good.
  • me_is Level 1 (0 points)
    We've been pulling our hair out on this one for a long time. We went to SonicWall support and referenced this thread. They followed up with the following (they essentially said "give it a shot"):

    --

    If you are wanting to make the DPI modification listed you can do so following the directions below:

    - log into the SonicWALL GUI
    - Change the current address from http://XX.XX.XX.XX/main.html to http://XX.XX.XX.XX/diag.html
    - Click Internal Settings
    - Under Security Services Settings locate and checkmark Enable enforcement of a limit on maximum allowed advertised TCP window with any DPI-based service enabled
    - You may also want to uncheck the option directly below it
    - Enforce Host Tag Search for CFS
    - Make sure to click Apply at the top of the page

    --

    Anyway it seems to be working for us. but we're going to do a bit more testing (our max TCP window is still set at 64 - I'd like to see if there are any reliability issues with Wikipedia, Yahoo, go.microsoft.com, and Skype)
  • satcomer Level 4 (1,110 points)
    For those using third party firewalls should bookmark the Apple web page Well known TCP and UDP ports used by Apple software products to know what ports on that firewall need to opened.

    Plus SSL uses port 443.

    Message was edited by: satcomer
  • Bozo777 Level 1 (0 points)
    Thank you, thank you, thank you!! Just got a new iMac and was noticing terribly slow downloads from the updater. Put a new hard drive in my old iMac and was trying to download 1.3GB of updates to it. It had run for over 10 hours with an estimate of 27 hours remaining. Made this change, and the 27 hours dropped to 3 minutes.

    And it finished in that...

    Whew!!
  • marcusthirty Level 1 (0 points)
    Hey DLR -

    Did you happen to resolve this issue? We are having the same problem when connecting to a particular server while behind our firewall here at the office.

    Thanks.
  • morrty Level 1 (0 points)

    For anyone that is on a Windows Domain using Active Directory/DNS then you do not want to check this: Clear DF Bit (don't fragment).

     

    I spent the better half of my day today trying to figure out why Windows machines were taking 30 minutes to login at the "Applying personal settings" dialog as well as not updating DNS, not applying Group Policy objects and Microsoft Exchange failing to connect.

     

    This setting seems to break Kerberos authentication which is the default authentication method for AD. I believe it is because Kerberos will fragment packets if it is too large. If the client doesn't receive these fragmented packets in order, it will fail.

     

    My mac users are working now with simply enabling this: Enable enforcement of a limit on maximum allowed advertised TCP window with any DPI-based service and changing the window size from 64 to 256.

  • rogersmithiii Level 1 (0 points)

    I just saw the same thing with a brand new Mac Book Pro, and a Sonicwall TZ180.  With help from SW tech guys, we discovered that turning off Gateway Virus, AntiSpam, and IPS fixed the problem.  I wasn't happy though about opening such a gaping hole in the firewall, even if it was limited to the Mac (which supposedly suffers less from virus and spyware issues).

     

    We finally found another solution.  We reset the TCP MTU from 1500 to 1404 for a cable modem connection.  That made the Mac happy, and solved the download issue. 

     

    Rog

  • rogersmithiii Level 1 (0 points)

    BTW, the TZ180 didn't have the setting that was recommended above, so I had no way of testing that particular fix.

  • morrty Level 1 (0 points)

    @rogersmithiii

     

    Do you have the enhanced OS or the standard OS? It should have the setting if you're on enhanced.

Previous 1 2 Next