Troubleshooting Network throughput, Latency, and Bandwidth Issues with a SonicWall UTM
06/13/2023 9,541 People found this article helpful 543,818 Views
Description
This article gives a list of possible reasons causing throughput and performance issues in the SonicWall UTM appliance.
Each SonicWall UTM appliance series has different performance capabilities depending upon hardware specifications such as the CPU, the RAM or the Flash memory. It is recommended to check the particular device's capabilities before deciding that the performance related issues with the device is due to other factors.
You can find the information for your device on our Products Page.
CAUTION: Please keep in mind that Speed testing sites are not an accurate depiction of network throughput. There are many factors that impact throughput before packets egress the SonicWall and make the return trip to the host that's performing the speed test. We strongly recommend examining your network as a whole when troubleshooting any throughput issues.
Resolution
NOTE: Please perform the following steps in the order they're presented and test the throughput after each change.
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Maximum Transmission Unit (MTU) of the WAN interface of the SonicWall
- Click on Network on the top Navigation Menu.
- Click System | Interfaces and Configure the WAN interface in question.
The Maximum Transmission Unit size is the maximum size of an Ethernet frame being sent out through a network device. By default, this value is 1500 bytes but on xDSL and cable connections this value is often lowered to achieve a more stable connection and/or better performance. Common values are: 1492 SDSL / 1460 ADSL / 1404 Cable. The MTU value is changed in increments of 8 bytes. In the SonicWall WAN interface, this value is by default 1500 bytes.
TIP: Change the MTU size after determining the optimum MTU size in order to prevent unnecessary fragmentation. Refer to the following article to determine the optimum MTU value: How can I determine the MTU size of WAN interfaces to optimize throughput? | SonicWall
Fragment non-VPN outbound packets larger than this Interface's MTU
- Click on Network on the top Navigation Menu.
- Click on System | Interfaces and Configure the WAN interface in question. This checkbox setting works in tandem with MTU and is enabled by default. Having this option enabled is a Best Practice and will help ensure the SonicWall isn't forwarding packets with a larger MTU than can be used on the Interface.
TIP: Enable this option under Network | System | Interfaces | WAN Interfaces | Advanced Tab
Ignore Don't Fragment (DF) Bit
- Click on Network on the top Navigation Menu.
- Click on System | Interfaces and Configure the WAN interface in question.
- Enabling this option would fragment packets even though the Don't Fragment bit is set. By default, this option is unchecked in the WAN interface advanced settings and it is recommended to keep it unchecked.
TIP: Enable this option under Network | System | Interfaces | WAN Interfaces | Advanced Tab
Link Speed settings of the WAN and other Interfaces
- Click on Network on the top Navigation Menu.
- Click on System | Interfaces and Configure the WAN interface in question.
- By default, all Interfaces on the SonicWall are set to automatically detect link speed. However, in certain deployments, the link speed settings should be manually set according to the device connected to the Interface. Please contact your ISP or device manufacturer of the device connected to the WAN Interface to find their best Duplex and Link Speed settings. Incorrect duplex settings of your WAN, for instance, would have the following harmful effects.
- Unable to negotiate a connection with the ISP
- An Inconsistent Internet connection
- Dropped Packets
- Slow Throughput
TIP: Check with the manufacturer for all devices directly connected to a SonicWall Interface and make sure the Duplex and Link Speed Settings are optimally set. Change the relevant settings under Network | System | Interfaces | WAN interface | Advanced Tab.
Bandwidth Management
Make sure the Bandwidth Management is disabled on the LAN and WAN interfaces and on the access rules.
- To disable Bandwidth Management on the Interface, Click on Network | System | Interfaces (Edit LAN and WAN) | Advanced Tab.
- To disable Bandwidth Management on the Access Rules. Click on Policy | Rules and Policies | Access Rules | Configure access rule from LAN to WAN |Traffic shaping, make sure Bandwidth management is disabled.
Enable Fragmented Packet Handling in VPN Advanced Settings
- Click on Network on the top Navigation Menu.
- Navigate to IPsec VPN | Advanced.
- Enabling fragmentation (Enable Fragmented Packet Handling) would help SonicWall handle fragmented IPsec packets. This can affect SonicWall's WAN throughput if any VPN policies are configured and enabled, even if they aren't established.
TIP: It is recommended to enable this option and leave the Ignore DF Bit option unchecked under IPsec | Advanced on the SonicWall GUI.
Allow Fragmented Packets in Access Rules
- Click on Policy in the top Navigation menu.
- Navigate to Rules and Policies | Access rules and configure the desired access rule.
- This option is enabled by default and the best practice would be to keep it enabled.
TIP: Make sure that all Access Rules under Rules and Policies | Access Rules have the Allow Fragmented Packets Checkbox Enabled.
Check the Connections Monitor to determine whether hosts on the network are using a large number of connections
- Click on Monitor in the top Navigation menu.
- Navigate to Tools and Monitors | Connections.
- If a host in the network is infected with malware it will often open, at random, hundreds or thousands of connections to the Internet or internal resources.
The Connections displays real-time views of all connections to and through the SonicWall security appliance allowing you to find infected hosts and remove them from the network.
TIP: Isolate the affected host and remove it from the network.
Set Name Resolution to None
- Click Device on the Top Navigation menu.
- Navigate to Log | Name Resolution. High traffic networks will result in high amounts of DNS queries for the SonicWall as it attempts to generate log entries. By default, the SonicWall will populate the DNS Address for log entries resulting from Security Services, firewall Access Rules, and the like.
TIP: Change Name Resolution under Device | Log | Name Resolution to None.
Performance Optimized Security Services
- Click Policy on the Top Navigation menu.
- Navigate to Security Services | Summary.
- For throughput Best Practices we recommend disabling Enhanced Security. This will inspect and block packets who match Signatures matching Medium or High Priority Threat probability. Blocking Low Threat Probability traffic will unnecessarily drop packets such as ICMP and is not recommended for most deployments.
TIP: Also Disable Low Priority Attacks under Prevent All for both Intrusion Prevention and Anti-Spyware.
Path Ping to a Remote Network
To help rule out or prove an issue with a device or network above the SonicWall you can use Path Ping. This command line utility will both Ping and track the latency on the route to a target destination, providing you feedback on if a particular hop is latent, packets are being incorrectly routed, etc.
TIP: Perform a Path Ping to the network or IP Address that you're testing to. https://technet.microsoft.com/en-us/library/bb490964.aspx
Physical Network
- If the above troubleshooting fails to yield an increase in throughput, it is often necessary to try removing the SonicWall from the physical network and retest the speeds. Increases in throughput when removing the SonicWall from the physical network are expected but it is important to have information on speeds with and without the SonicWall in place for further troubleshooting. It can also be beneficial to directly connect a host to the ISP handoff device and test for a throughput issue on the ISP side.
NOTE: If speed tests show higher speeds with a host directly connected to the ISP modem/handoff device, check if the host is getting a private IP (DHCP). If the host is assigned with a private IP (DHCP) from the ISP modem, configure the WAN interface in DHCP mode instead of Static IP and test the speeds.
- Furthermore, we recommend doing an iPerf Test on the SonicWall to test for physical issues on the SonicWall's Interfaces. This requires that the SonicWall be taken out of the network line temporarily in order to avoid involving other network devices that could alter the results.
TIP: Remove the SonicWall from the physical network after getting a baseline of the network throughput. Test the throughput using the same tools and note the difference. While the SonicWall is out of the network, perform an iPerf Test: How to use iPerf to measure throughput on a SonicWall device? | SonicWall
NOTE: Please perform the following steps in the order they're presented and test the throughput after each change.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Maximum Transmission Unit (MTU) of the WAN interface of the SonicWall
- Click Manage in the top navigation menu.
- Click Network | Interfaces and opening the Interface in question.
The Maximum Transmission Unit size is the maximum size of an Ethernet frame being sent out through a network device. By default this value is 1500 bytes but on xDSL and cable connections this value is often lowered to achieve a more stable connection and/or better performance. Common values are: 1492 SDSL / 1460 ADSL / 1404 Cable. The MTU value is changed in increments of 8 bytes. In the SonicWall WAN interface this value is by default 1500 bytes.
TIP: Change the MTU size after determining the optimum MTU size in order to prevent unnecessary fragmentation. Refer the following article to determine the optimum MTU value: Determining the MTU Value for Your Internet Connection.
Fragment non-VPN outbound packets larger than this Interface's MTU
- Click Manage in the top navigation menu.
- Click Network | Interfaces and opening the Interface in question.This checkbox setting works in tandem with MTU, and is enabled by default. Having this option enabled is a Best Practice and will help ensure the SonicWall isn't forwarding packets with a larger MTU than can be used on the Interface.
TIP: Enable this option under Network | Interfaces | WAN Interface | Advanced Tab.
Ignore Don't Fragment (DF) Bit
- Click Manage in the top navigation menu.
- Navigate to Network | Interfaces and opening the Interface in question.
- Enabling this option would fragment packets even though the Don't Fragment bit is set. By default this option is unchecked in the WAN interface advanced settings and it is recommended to keep it unchecked.
TIP: Disable this option under Network | Interfaces| WAN Interface | Advanced Tab.
Link Speed settings of the WAN and other Interfaces
- Click Manage in the top navigation menu.
- Click Network | Interfaces and opening the Interface in question.
- By default all Interfaces on the SonicWall are set to automatically detect link speed. However, in certain deployments, the link speed settings should be manually set according to the device connected to the Interface. Please contact your ISP or device manufacturer of the device connected to the WAN Interface to find their best Duplex and Link Speed settings. Incorrect duplex settings of your WAN, for instance, would have the following harmful effects.
Bandwidth Management
- Click Manage in the top navigation menu.
- Navigate to Firewall Settings | Bandwidth Management.
- You can apply bandwidth management to both outbound and inbound traffic on the Interfaces associated with the WAN Zone. Enabling it entails entering the bandwidth values (in Kbps) available for the Interface. Bandwidth management will cause throughput degradation if incorrectly configured.
EXAMPLE: If Bandwidth Management has been enabled on an Interface without specifying the bandwidth values, inbound and outbound traffic traversing that link will be throttled to the default values (384Kbps).
TIP: Disable Bandwidth Management if not required via Firewall Settings | Bandwidth Management on the SonicWall GUI.
Enable Fragmented Packet Handling in VPN Advanced Settings
- Click Manage in the top navigation menu.
- Navigate to VPN | Advanced Settings.
- enabling fragmentation would help SonicWall handle fragmented IPsec packets. This can affect the SonicWall's WAN throughput if any VPN policies are configured and Enabled, even if they aren't established.
TIP: It is recommended to enable this option and leave the Ignore DF Bit option unchecked under VPN | Advanced Settings on the SonicWall GUI.
Allow Fragmented Packets in Access Rules
- Click Manage in the top navigation menu.
- Navigate to Rules | Access Rules and configuring the desired access rule.
- This option is Enabled by default and the best practice would be to keep it enabled.
TIP: Make sure that all Access Rules under Rules | Access Rules have the Allow Fragmented Packets Checkbox Enabled.
Check the Connections Monitor to determine whether hosts on the network are using large number of connections
- Click Investigate in the top navigation menu.
- Click Connections Logs.
- If a host in the network is infected with malware it will often open, at random, hundreds or thousands of connections to the Internet or internal resources. The Connections Monitor displays real-time views of all connections to and through the SonicWall security appliance allowing you to find infected hosts and remove them from the network.
TIP:Isolate the affected host and remove it from the network. The Connection Monitor is available under Investigate in the top navigation menu | Connection Logs.
Set Name Resolution to None
- Click Manage in the top navigation menu.
- Navigate to Log Settings | Name Resolution.High traffic networks will result in high amounts of DNS queries for the SonicWall as it attempts to generate log entries. By default, the SonicWall will populate the DNS Address for log entries resulting from Security Services, firewall Access Rules, and the like.
TIP: Change Name Resolution under Log Settings | Name Resolution to None.
Performance Optimized Security Services
- Click Manage in the top navigation menu.
- Navigate to Security Services | Base Setup.
- For throughput Best Practices we recommend setting the Security Services Settings to Performance Optimized. This will inspect and block packets who match Signatures matching Medium or High Priority Threat probability. Blocking Low Threat Probability traffic will unnecessarily drop packets such as ICMP and is not recommended for most deployments.
TIP: Change Security Services Settings under Security Services | Base Setup to Performance Optimized. Also Disable Low Priority Attacks under Prevent All for both Intrusion Prevention and Anti-Spyware.
Path Ping to a Remote Network
- To help rule out or prove an issue with a device or network above the SonicWall you can use Path Ping. This command line utility will both Ping and track the latency on the route to a target destination, providing you feedback on if a particular hop is latent, packets are being incorrectly routed, etc.
TIP: Perform a Path Ping to the network or IP Address that you're testing to. You can find out more about Path Ping by reading the linked Microsoft Technet Article.
Physical Network
- If the above troubleshooting fails to yield an increase in throughput, it is often necessary to try removing the SonicWall from the physical network and retest the speeds. Increases in throughput when removing the SonicWall from the physical network are expected but it is important to have information on speeds with and without the SonicWall in place for further troubleshooting. It can also be beneficial to directly connect a host to the ISP handoff device and test for a throughput issue on the ISP side.
NOTE: If speed tests show higher speeds with a host directly connected to the ISP modem/handoff device, check if the host is getting a private IP (DHCP). If the host is assigned with a private IP (DHCP) from the ISP modem, configure the WAN interface in DHCP mode instead of Static IP and test the speeds. - Furthermore, we recommend doing an iPerf Test on the SonicWall to test for physical issues on the SonicWall's Interfaces. This requires that the SonicWall be taken out of the network line temporarily in order to avoid involving other network devices that could alter the results.
TIP: Remove the SonicWall from the physical network after getting a baseline of the network throughput. Test the throughput using the same tools and note the difference. While the SonicWall is out of the network, perform an iPerf Test: How to Use iPerf to Measure Throughput on a SonicWall.
Related Articles
Categories