fabiolr
asked on
SonicWall NSA 2400 Performance Issue
Hello,
I have a SonicWall NSA 2400 set up as a firewall and gateway to the internet. Two Links, one Cable and one Fiber (converted to Gigabit Ethernet, PPPoE). I use the Cable as a failover.
Everything works fine, but there is a performance issue.
The Fiber link is 100Mps. If I connect it to my MacPro directly, and try speedtest.net, it reaches 96Mbps. When I connect it to the SonicWall, and do the same test from the same computer, it comes down to 32Mbps.
The processors at the SonicWall reach 100 momentarily.
Is ~35Mbps the limit on the appliance? It is rated to 150Mbps.
Anyone with a similar experience?
Thanks
Fabio Ribeiro
SP, Brazil
I have a SonicWall NSA 2400 set up as a firewall and gateway to the internet. Two Links, one Cable and one Fiber (converted to Gigabit Ethernet, PPPoE). I use the Cable as a failover.
Everything works fine, but there is a performance issue.
The Fiber link is 100Mps. If I connect it to my MacPro directly, and try speedtest.net, it reaches 96Mbps. When I connect it to the SonicWall, and do the same test from the same computer, it comes down to 32Mbps.
The processors at the SonicWall reach 100 momentarily.
Is ~35Mbps the limit on the appliance? It is rated to 150Mbps.
Anyone with a similar experience?
Thanks
Fabio Ribeiro
SP, Brazil
crouthamela
That does seem very low for an NSA 2400. What security services do you have enabled? The 100% CPU spike concerns me. Also, what firmware version?
ASKER
I have IPS, GAV, CFS and typical firewall settings. And NAT, naturally, as well as standard services such as DHCP, VPN servers... There is very little load on it, typically 2-3% with normal usage. When I start the download, the CPU spikes.
Firmware is SonicOs Enhanced 5.6.0.10-52o.
Would there be something in my config that might be unecessarily overloading it when there is high traffic?
What makes it worse is that I have two locations with the same setup. NSA2400 with 100mb fiber link from same provider, same neighbourhood. Both show the same problem.
Thanks!
Fabio
Firmware is SonicOs Enhanced 5.6.0.10-52o.
Would there be something in my config that might be unecessarily overloading it when there is high traffic?
What makes it worse is that I have two locations with the same setup. NSA2400 with 100mb fiber link from same provider, same neighbourhood. Both show the same problem.
Thanks!
Fabio
Try disabling a security service one at a time and see of it goes away with one of them. Do you scan/prevent all levels of IPS?
ASKER
Disabling IPS has little effect....
Will try the MacPro directly on a SW port, eliminating the switch. Obvious but just occured to me now.
Will try the MacPro directly on a SW port, eliminating the switch. Obvious but just occured to me now.
ASKER
I Disabled everything. All Security Services.
The processor spike is now only 60% during the speed test, but it still does not go over 30-35 Mbps.
To validate the test, I connected the MacPro directly to the Sonic Wall.
As a control, I tested again the speed connecting the Fiber link's media converter directly to the MacPro and got almost 100Mbps (http://www.speedtest.net/result/1813794418.png)
It does seem like a limit on the SW. Very disappointing. It was doing pretty much nothing more than NAT. I also isolated it from the rest of the network.
Any chance I might still be missing something?
Thanks!
Fabio
The processor spike is now only 60% during the speed test, but it still does not go over 30-35 Mbps.
To validate the test, I connected the MacPro directly to the Sonic Wall.
As a control, I tested again the speed connecting the Fiber link's media converter directly to the MacPro and got almost 100Mbps (http://www.speedtest.net/result/1813794418.png)
It does seem like a limit on the SW. Very disappointing. It was doing pretty much nothing more than NAT. I also isolated it from the rest of the network.
Any chance I might still be missing something?
Thanks!
Fabio
Doesn't sound like it, but out of curiosity, is the WAN interface set to auto/auto for speed/duplex? You could also try updating to 5.8, but that's a long shot as a magic fix. Might want to call it in to Sonicwall and send them the settings/diag. 35Mbps still doesn't make any sense for a NSA 2400 as a normal thing.
ASKER
I am glad you said that. I went over to look at the interface's advanced settings and, although the speed was set to auto, I realized MTU was at 1500.
I changed it to 1492 after some reading around, and voila! Download went up to 85Mbps.
You showed me the way...
For the record, I went on enabling each service one at a time, testing the speed each time. When I turn on GAV or Anti-Spyware, the speed goes down back to 35Mbps.
So bottom line:
NSA 2400 can do over 35Mbps only if you give up it's gateway anti-virus and anti spyware features. But you still need to tune your settings properly, like the MTU.
I am still 10Mbps behind the direct connection, so not entirely happy. Maybe I can tune it even further? Or is it my switch and router (Cisco 2801) between my SW and MacPro? Need to test connecting directly again...
Thanks crouthamela for showing me the way.
I changed it to 1492 after some reading around, and voila! Download went up to 85Mbps.
You showed me the way...
For the record, I went on enabling each service one at a time, testing the speed each time. When I turn on GAV or Anti-Spyware, the speed goes down back to 35Mbps.
So bottom line:
NSA 2400 can do over 35Mbps only if you give up it's gateway anti-virus and anti spyware features. But you still need to tune your settings properly, like the MTU.
I am still 10Mbps behind the direct connection, so not entirely happy. Maybe I can tune it even further? Or is it my switch and router (Cisco 2801) between my SW and MacPro? Need to test connecting directly again...
Thanks crouthamela for showing me the way.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good call. Changing to Performance Optimized allowed for 70Mbps with GAV and Anti-Spyware enabled. I also disables low level threats for the AS.
Now it is running between 70 and 75Mbps. Still 20 bellow the potential for the link but very decent. I will go ahead and accept this as the solution, and will keep trying to improve with the MTU setting.
Thanks a lot for you help.
Now it is running between 70 and 75Mbps. Still 20 bellow the potential for the link but very decent. I will go ahead and accept this as the solution, and will keep trying to improve with the MTU setting.
Thanks a lot for you help.