Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Thomas Moy1
Thomas Moy1 Author
User level: Level 1
9 points

SonicWALL slows iTunes downloads, Software Update and Gmail attachments

I spent the last two weeks working on this with SonicWALL support, so I thought I would post the solution.

Our office found that our SonicWALL Pro 2040 began interfering with secure downloads within apps somewhere in late July 2010. Things like Gmail attachments (over https), iTunes purchases and downloads, Apple Software Update downloads, and other in-app updates and downloads. These would load up ~1MB at full internet speed, then slow to a trickle or virtually stop. Maybe a few minutes later, the download would resume.

If I disabled the SonicWALL's security services, (Gateway Antivirus, Intrusion Prevention, Anti-Spyware), the problem would go away. We went as far as upgrading our Pro 2040 to the latest NS 2400, and it too came with the same issue the moment we turned on the security services.

The fix was not available in the Pro 2040's Enhanced (4.2.1.0-20e) firmware. But the NS 2400 with the latest Enhanced firmware (5.5.2.1-5o) has a hidden setting which can be ticked and it solved our problem. Login to the SonicWALL admin page, then change ending portion of the URL from /main.html to /diag.html. Click Internal Settings > Scroll down to Security Services Settings > the tick the Enable enforcement of a limit on maximum allowed advertised TCP window with any DPI-based service enabled.

That's it. Hope this helps someone.

Mac Pro 2008, Mac OS X (10.6.4), SonicWALL vs. iTunes and Software Update

Posted on Sep 7, 2010 11:01 AM

Reply
18 replies
User profile for user: DLR
DLR
User level: Level 3
697 points

Sep 10, 2010 12:43 PM in response to Thomas Moy1

were you having problems with just secure downloads?

We are using the SonicWall Pro 2040 too and are having an issue with websites not loading properly or at all. The problem is not consistent and only happens on the Macs. It seems that page is loading so slow due to some filtering on the firewall that it times out. This is on all major browsers and versions (as far as I know).
Reply
User profile for user: Thomas Moy1
Thomas Moy1 Author
User level: Level 1
9 points

Sep 10, 2010 3:24 PM in response to DLR

This one rings a bell too. Poke around in that diag.html page (okay, backup your system settings first!), and try ticking either of the following.

Ignore malformed TCP headers
Clear DF Bit (don't fragment)
Enable TCP packet option tagging

My (poor) memory thinks it's the first one that unleashed consistent downloads to our Macs. It's something their support staff guided me to last time, so if you're persistent with support, you could probably get it out of them.

Good luck.
Reply
User profile for user: Damon Betlow
Damon Betlow
User level: Level 1
0 points

Nov 18, 2010 8:33 AM in response to Thomas Moy1

Thanks for this!

I also had to call Sonicwall and get the diag.html fix (enable enforcement on TCP window and set the max allowed TCP window to 256.

This fixed iTunes downloads and other downloads on Windows 7, but I started having issues with some sites like Skype and Yahoo not working with IE. I enabled the 3 ticks you mentioned and now everything appears to be working.
Reply
User profile for user: me_is
me_is
User level: Level 1
0 points

Dec 7, 2010 6:59 AM in response to Thomas Moy1

We've been pulling our hair out on this one for a long time. We went to SonicWall support and referenced this thread. They followed up with the following (they essentially said "give it a shot"):

--

If you are wanting to make the DPI modification listed you can do so following the directions below:

- log into the SonicWALL GUI
- Change the current address from http://XX.XX.XX.XX/main.html to http://XX.XX.XX.XX/diag.html
- Click Internal Settings
- Under Security Services Settings locate and checkmark Enable enforcement of a limit on maximum allowed advertised TCP window with any DPI-based service enabled
- You may also want to uncheck the option directly below it
- Enforce Host Tag Search for CFS
- Make sure to click Apply at the top of the page

--

Anyway it seems to be working for us. but we're going to do a bit more testing (our max TCP window is still set at 64 - I'd like to see if there are any reliability issues with Wikipedia, Yahoo, go.microsoft.com, and Skype)
Reply
User profile for user: Bozo777
Bozo777
User level: Level 1
0 points

Dec 23, 2010 9:30 PM in response to Thomas Moy1

Thank you, thank you, thank you!! Just got a new iMac and was noticing terribly slow downloads from the updater. Put a new hard drive in my old iMac and was trying to download 1.3GB of updates to it. It had run for over 10 hours with an estimate of 27 hours remaining. Made this change, and the 27 hours dropped to 3 minutes.

And it finished in that...

Whew!!
Reply
User profile for user: morrty
morrty
User level: Level 1
0 points

Oct 31, 2011 11:50 AM in response to Thomas Moy1

For anyone that is on a Windows Domain using Active Directory/DNS then you do not want to check this: Clear DF Bit (don't fragment).


I spent the better half of my day today trying to figure out why Windows machines were taking 30 minutes to login at the "Applying personal settings" dialog as well as not updating DNS, not applying Group Policy objects and Microsoft Exchange failing to connect.


This setting seems to break Kerberos authentication which is the default authentication method for AD. I believe it is because Kerberos will fragment packets if it is too large. If the client doesn't receive these fragmented packets in order, it will fail.


My mac users are working now with simply enabling this: Enable enforcement of a limit on maximum allowed advertised TCP window with any DPI-based service and changing the window size from 64 to 256.

Reply
User profile for user: rogersmithiii
rogersmithiii
User level: Level 1
0 points

Jan 11, 2012 3:28 PM in response to Thomas Moy1

I just saw the same thing with a brand new Mac Book Pro, and a Sonicwall TZ180. With help from SW tech guys, we discovered that turning off Gateway Virus, AntiSpam, and IPS fixed the problem. I wasn't happy though about opening such a gaping hole in the firewall, even if it was limited to the Mac (which supposedly suffers less from virus and spyware issues).


We finally found another solution. We reset the TCP MTU from 1500 to 1404 for a cable modem connection. That made the Mac happy, and solved the download issue.


Rog

Reply

SonicWALL slows iTunes downloads, Software Update and Gmail attachments

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up