were you having problems with just secure downloads?
We are using the SonicWall Pro 2040 too and are having an issue with websites not loading properly or at all. The problem is not consistent and only happens on the Macs. It seems that page is loading so slow due to some filtering on the firewall that it times out. This is on all major browsers and versions (as far as I know).
This one rings a bell too. Poke around in that diag.html page (okay, backup your system settings first!), and try ticking either of the following.
Ignore malformed TCP headers
Clear DF Bit (don't fragment)
Enable TCP packet option tagging
My (poor) memory thinks it's the first one that unleashed consistent downloads to our Macs. It's something their support staff guided me to last time, so if you're persistent with support, you could probably get it out of them.
Thanks for this!
I also had to call Sonicwall and get the diag.html fix (enable enforcement on TCP window and set the max allowed TCP window to 256.
This fixed iTunes downloads and other downloads on Windows 7, but I started having issues with some sites like Skype and Yahoo not working with IE. I enabled the 3 ticks you mentioned and now everything appears to be working.
Spoke too soon. It appears I had to set the max TCP window to 512 in order for the websites like Wikipedia, Yahoo, go.microsoft.com, and Skype to work reliably.
"only boosted the download by 300Kbs"
Are you sure it is kilobits per second and not kilobytes per second?
300 KB/s (or 2.4 Mbps) is pretty darn good.
We've been pulling our hair out on this one for a long time. We went to SonicWall support and referenced this thread. They followed up with the following (they essentially said "give it a shot"):
If you are wanting to make the DPI modification listed you can do so following the directions below:
- log into the SonicWALL GUI
- Change the current address from http://XX.XX.XX.XX/main.html to http://XX.XX.XX.XX/diag.html
- Click Internal Settings
- Under Security Services Settings locate and checkmark Enable enforcement of a limit on maximum allowed advertised TCP window with any DPI-based service enabled
- You may also want to uncheck the option directly below it
- Enforce Host Tag Search for CFS
- Make sure to click Apply at the top of the page
Anyway it seems to be working for us. but we're going to do a bit more testing (our max TCP window is still set at 64 - I'd like to see if there are any reliability issues with Wikipedia, Yahoo, go.microsoft.com, and Skype)
For those using third party firewalls should bookmark the Apple web page Well known TCP and UDP ports used by Apple software products to know what ports on that firewall need to opened.
Plus SSL uses port 443.
Message was edited by: satcomer
Thank you, thank you, thank you!! Just got a new iMac and was noticing terribly slow downloads from the updater. Put a new hard drive in my old iMac and was trying to download 1.3GB of updates to it. It had run for over 10 hours with an estimate of 27 hours remaining. Made this change, and the 27 hours dropped to 3 minutes.
And it finished in that...
For anyone that is on a Windows Domain using Active Directory/DNS then you do not want to check this: Clear DF Bit (don't fragment).
I spent the better half of my day today trying to figure out why Windows machines were taking 30 minutes to login at the "Applying personal settings" dialog as well as not updating DNS, not applying Group Policy objects and Microsoft Exchange failing to connect.
This setting seems to break Kerberos authentication which is the default authentication method for AD. I believe it is because Kerberos will fragment packets if it is too large. If the client doesn't receive these fragmented packets in order, it will fail.
My mac users are working now with simply enabling this: Enable enforcement of a limit on maximum allowed advertised TCP window with any DPI-based service and changing the window size from 64 to 256.
I just saw the same thing with a brand new Mac Book Pro, and a Sonicwall TZ180. With help from SW tech guys, we discovered that turning off Gateway Virus, AntiSpam, and IPS fixed the problem. I wasn't happy though about opening such a gaping hole in the firewall, even if it was limited to the Mac (which supposedly suffers less from virus and spyware issues).
We finally found another solution. We reset the TCP MTU from 1500 to 1404 for a cable modem connection. That made the Mac happy, and solved the download issue.