Unable to access certain websites, either slow or completely failing.

09/29/2023 2,613 People found this article helpful 504,423 Views

Description

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Check MTU settings on the WAN interface(s). An incorrect MTU is the most common cause of web browsing issues through SonicWall UTM appliances.
Go to Network | System | Interfaces and click the pencil to edit the configuration.
Select Advanced tab | Interface MTU.

TIP:UTM: How to change the MTU size on the SonicWall UTM appliance? and UTM: How to Optimize PPPoE MTU?
Check LAN to WAN access rules by navigating to Policy | Rules and Policies | Access rules, by default the action is set to Allow for any source and any destination. Check if you have any deny policies for the website or the local machine IP address.
Determine if CFS is blocking the site in question due to policy. If CFS is being used, then it may be blocking the traffic to the site you are attempting to reach. Ensure that the Security Services log category is configured for logging on the Device|Log |Settings configuration screen and then check your logs for indications of CFS blocking. After determining that CFS is blocking due to policy, you must modify the categories or create a domain exclusion to allow the traffic.

TIP: For info on Content Filtering Service (CF3)3.0 for SonicOS 5.8 and above.
Determine if CFS is blocking due to lack of host header in the first HTTP packet. CFS checks the Hostname listed in the HTTP host header to determine the category of the site in question. If the first HTTP packet does not include the complete host header, then CFS will drop the connection without logging. If you are able to access the site without CFS enabled, this may be the cause. In this case, you must toggle the Enforce Host Tag Search for CFS setting on the diag.html page of the management GUI. It is recommended that you contact SonicWall technical support for assistance with this operation.
Check whether Enable HTTP Byte-Range requests with Gateway AV the SonicWall GAV by default suppresses the use of HTTP byte-range requests to prevent the sectional retrieval and reassembly of the potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this option you will override this setting.
Navigate to Policy | Security Services | Gateway Anti-Virus | Configure.
Check the logs on the firewall to determine if the website is being blocked or denied by any of the other security services on the firewall. If you know the website IP address or the local machine IP address, type it in the search bar on the logs for seamless determination of the logs. If you find the entry in logs, you can navigate to the respective security services and add exclusions if its a legitimate website. If you do not find the entry, kindly follow the next step.
NOTE: The Logging level should be set to Inform and alert level to Alert.
If not Content Filtering services, disable the other security services one by one and test the access to the website.

Intrusion Prevention.
Geo-IP filter.
App control.
App rules.

If you find the website is accessible after disabling any of the security services, then you can add exclusions to that respective security service either with IP address of the website or by adding the FQDN.
Kindly check the DNS server being used on the Local machines. If it is an internal DNS server or DNS server provided by the ISP, kindly test on a Local machine by changing the DNS to public DNS on the Ethernet adapter. (Example: 8.8.8.8)
Do a Trace route to the website IP address or FQDN and determine if its reachable or not.
You can understand if the ICMP packets are affectively being transmitted to the destination or not.
You need to run a packet capture on the firewall to determine the traffic flow. Kindly follow the KB article for utilizing the packet monitor.
How can I setup and utilize the Packet Monitor feature for troubleshooting?
Bypass SonicWall in an effective right manner and test the access to the website. Connect a PC directly to the ISP modem via Ethernet cable. If you have assigned a Static IP on the active WAN interface on the firewall, use the same Static IP address, default gateway and DNS servers on the PC adapter which is connected to the ISP modem. If you have assigned DHCP mode on the active WAN interface, then you can directly test it.

TIP: Unable to access City or State Sponsored sites such as www.state.nj.us behind a SonicWall firewall: Unable To Access City Or State Sponsored Sites Behind A SonicWall Firewall.
Even after following all the above steps, if you are still not able to access the website or determine the root cause from the packet capture, you can contact our Technical Support.

There are two ways to contact technical support:

1. Online: Visit mysonicwall.com. Once logged in select Resources & Support | Support | Create Case.

2. By phone: please use our toll-free number at 1-888-793-2830. Please have your SonicWall serial number available to create a new support case.

If you do not have a mysonicwall.com account create one for free!

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Check MTU settings on the WAN interface(s). An incorrect MTU is the most common cause of web browsing issues through SonicWall UTM appliances.
Go to Manage | Network | Interfaces and click the pencil to edit the configuration.
Select Advanced tab | Interface MTU.

TIP: UTM: How to change the MTU size on the SonicWall UTM appliance? and UTM: How to Optimize PPPoE MTU?
Check LAN to WAN access rules by navigating to Policy | Rules and Policies | Access rules, by default the action is set to Allow for any source and any destination. Check if you have any deny policies for the website or the local machine IP address.
Determine if CFS is blocking the site in question due to policy. If CFS is being used, then it may be blocking the traffic to the site you are attempting to reach. Ensure that the Security Services log category is configured for logging on the Manage | Log Settings | Base Setup configuration screen and then check your logs for indications of CFS blocking. After determining that CFS is blocking due to policy, you must modify the categories or create a domain exclusion to allow the traffic.

TIP: For info on Content Filtering Service (CF3)3.0 for SonicOS 5.8 and above.
Determine if CFS is blocking due to lack of host header in the first HTTP packet. CFS checks the Hostname listed in the HTTP host header to determine the category of the site in question. If the first HTTP packet does not include the complete host header, then CFS will drop the connection without logging. If you are able to access the site without CFS enabled, this may be the cause. In this case, you must toggle the Enforce Host Tag Search for CFS setting on the diag.html page of the management GUI. It is recommended that you contact SonicWall technical support for assistance with this operation.
Check whether Enable HTTP Byte-Range requests with Gateway AV the SonicWall GAV by default suppresses the use of HTTP byte-range requests to prevent the sectional retrieval and reassembly of the potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this option you will override this setting.
Navigate to Manage | Security Services | Gateway Anti-Virus | Configure AV Settings.
Check the logs on the firewall to determine if the website is being blocked or denied by any of the other security services on the firewall. If you know the website IP address or the local machine IP address, type it in the search bar on the logs for seamless determination of the logs. If you find the entry in logs, you can navigate to the respective security services and add exclusions if its a legitimate website. If you do not find the entry, kindly follow the next step.
NOTE: The Logging level should be set to Inform and alert level to Alert.
If not Content Filtering services, disable the other security services one by one and test the access to the website.

Intrusion Prevention.
Geo-IP filter.
App control.
App rules.

If you find the website is accessible after disabling any of the security services, then you can add exclusions to that respective security service either with IP address of the website or by adding the FQDN.
Kindly check the DNS server being used on the Local machines. If it is an internal DNS server or DNS server provided by the ISP, kindly test on a Local machine by changing the DNS to public DNS on the Ethernet adapter. (Example: 8.8.8.8)
Do a Trace route to the website IP address or FQDN and determine if its reachable or not.
You can understand if the ICMP packets are affectively being transmitted to the destination or not.
You need to run a packet capture on the firewall to determine the traffic flow. Kindly follow the KB article for utilizing the packet monitor.
How can I setup and utilize the Packet Monitor feature for troubleshooting?
TIP: Bypass SonicWall in an effective right manner and test the access to the website. Connect a PC directly to the ISP modem via Ethernet cable. If you have assigned a Static IP on the active WAN interface on the firewall, use the same Static IP address, default gateway and DNS servers on the PC adapter which is connected to the ISP modem.
If you have assigned DHCP mode on the active WAN interface, then you can directly test it.

TIP: Unable to access City or State Sponsored sites such as www.state.nj.us behind a SonicWall firewall: Unable To Access City Or State Sponsored Sites Behind A SonicWall Firewall
Even after following all the above steps, if you are still not able to access the website or determine the root cause from the packet capture, you can contact our Technical Support.

There are two ways to contact technical support:

1. Online: Visit mysonicwall.com. Once logged in select Resources & Support | Support | Create Case.

2. By phone: please use our toll-free number at 1-888-793-2830. Please have your SonicWall serial number available to create a new support case.

If you do not have a mysonicwall.com account create one for free!

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Check MTU settings on the WAN interface(s). An incorrect MTU is the most common cause of web browsing issues through SonicWall UTM appliances.
UTM: How to change the MTU size on the SonicWall UTM appliance?
UTM: How to Optimize PPPoE MTU?
Check LAN to WAN access rules by navigating to Policy | Rules and Policies | Access rules, by default the action is set to Allow for any source and any destination. Check if you have any deny policies for the website or the local machine IP address.
Determine if CFS is blocking the site in question due to policy. If CFS is being used, then it may be blocking the traffic to the site you are attempting to reach. Ensure that the Security Services log category is configured for logging on the Log | Categories configuration screen and then check your logs for indications of CFS blocking. After determining that CFS is blocking due to policy, you must modify the categories or create a domain exclusion to allow the traffic.
TIP: For info on Content Filtering Service (CF3)3.0 for SonicOS 5.8 and above.
Determine if CFS is blocking due to lack of host header in the first HTTP packet. CFS checks the Hostname listed in the HTTP Host header to determine the category of the site in question. If the first HTTP packet does not include the complete host header, then CFS will drop the connection without logging. If you are able to access the site without CFS enabled, this may be the cause. In this case, you must toggle the Enforce Host Tag Search for CFS setting on the diag.html page of the management GUI. It is recommended that you contact SonicWall technical support for assistance with this operation.
Check whether Enable HTTP Byte-Range requests with Gateway AV the SonicWall GAV by default suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly of the potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this option you will override this setting.
Check the logs on the firewall to determine if the website is being blocked or denied by any of the other security services on the firewall. If you know the website IP address or the local machine IP address, type it in the search bar on the logs for seamless determination of the logs. If you find the entry in logs, you can navigate to the respective security services and add exclusions if its a legitimate website. If you do not find the entry, kindly follow the next step.
NOTE: The Logging level should be set to Inform and alert level to Alert.
If not Content Filtering services, disable the other security services one by one and test the access to the website.

Intrusion Prevention.
Geo-IP filter.
App control.
App rules.

If you find the website is accessible after disabling any of the security services, then you can add exclusions to that respective security service either with IP address of the website or by adding the FQDN.
Kindly check the DNS server being used on the Local machines. If it is an internal DNS server or DNS server provided by the ISP, kindly test on a Local machine by changing the DNS to public DNS on the Ethernet adapter. (Example: 8.8.8.8)
Do a Trace route to the website IP address or FQDN and determine if its reachable or not.
You can understand if the ICMP packets are affectively being transmitted to the destination or not.
You need to run a packet capture on the firewall to determine the traffic flow. Kindly follow the KB article for utilizing the packet monitor.
How can I setup and utilize the Packet Monitor feature for troubleshooting?
TIP: Bypass SonicWall in an effective right manner and test the access to the website.Connect a PC directly to the ISP modem via Ethernet cable.If you have assigned a Static IP on the active WAN interface on the firewall, use the same Static IP address, default gateway and DNS servers on the PC adapter which is connected to the ISP modem. If you have assigned DHCP mode on the active WAN interface, then you can directly test it.

TIP: Unable to access City or State Sponsored sites such as www.state.nj.us behind a SonicWall firewall: Unable To Access City Or State Sponsored Sites Behind A SonicWall Firewall
Even after following all the above steps, if you are still not able to access the website or determine the root cause from the packet capture, you can contact our Technical Support.
There are two ways to contact technical support:

1. Online: Visit mysonicwall.com. Once logged in select Resources & Support | Support | Create Case.

2. By phone: please use our toll-free number at 1-888-793-2830. Please have your SonicWall serial number available to create a new support case.

If you do not have a mysonicwall.com account create one for free!