We help IT Professionals succeed at work.

Sonicwall Speed Issues

zephyr_hex (Megan)
on
3,483 Views
Last Modified: 2011-05-04
Sonicwall TZ 170 Enhanced
Firmware Version:        SonicOS Enhanced 3.1.0.11-30e  (latest version)

Outside the Sonicwall, internet speed is around 3Mbps
Inside the Sonicwall, internet speed is around 320KB/sec

I have tried changing duplex in various combinations, and little to no change occurred.
currently at WAN full duplex, LAN full duplex (but i tried any and all possible combinations)

what could be causing this problem?

Comment
Watch Question

>Outside the Sonicwall, internet speed is around 3Mbps
3Mbps - is this the speed of your WAN connection?

>Inside the Sonicwall, internet speed is around 320KB/sec
Is this the best sustained throughput you're getting on downloads? If you're getting 320 Kilo*bytes*/sec as shown in a browser window, this is a very good/normal download speed for a 3 Mbps connection (it roughly translates to 2.5Mbps).

cheers
CERTIFIED EXPERT
Top Expert 2010

Author

Commented:
let me put it this way...
i download a test file from outside the sonicwall.  firefox shows 3500KB/sec
i download the same test file from inside the sonicwall.  firefox shows 350KB/sec

i go to speakeasy.net
outside the sonicwall:  30101 kbps down / 6060 kpbs up
inside the sonicwall: 2417 kbps down / 1976 kpbs up

Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2010

Author

Commented:
content filter:  one word is filtered for internet.  i have tried removing that filter and it makes no difference.
services:  gateway antivirus, gateway antispyware, RBL filter with 2 sites
CPU utilization: under 30%

turned off AV and AS

speakeasy speed test:  13875 kpbs down and 1429 kbps up.  that's a huge improvement for download speed...

applied just AS :  2448kbps down and 2473 up
applied just AV :  3977kbps down and 3421 up
both applied: 2463kbps down and 2439 up

i dont see any significant errors on the interfaces.
i have run these speed tests from more than 1 workstation, at various places in the building (including an interface directly behind the sonicwall and directly infront of the sonicwall.  the test is not wifi.
we have site to site vpn because our servers are here and we have several remote sites
recently installed a switch between sonicwall and fiber internet connection in order to test speed without having to move cables around.  installing switch had no noticeable impact on speed issue.  before installing switch, there was nothing between sonicwall and internet.
also, no significant errors being reported in sonicwall logs.

sooooo, it appears that the AV/AS has a impact on the download speed.  am i really left with the choice between speed and security or is there a way to improve the speed with the AV/AS enabled?

Commented:
not really.

Anytime you have a firewall and are doing deep packet inspection for <av/as> or whatever, it will slow traffic down as the device de-encapsulates everything, examines, re-encapsulates and sends it on it's merry way.

The Marketing Hype for your firewall pretty clearly says that 8mbps thoughput is the max for av-type of filtering. Marketing Hype means optimal conditions (1500 byte packets). So, rather than rating for mbps, they should say packets per second (pps). but I digress.

Sad answer: get a bigger firewall if you really need those functions or offload those tasks to other devices/services. MX services like Postini might be able to help, if you want to keep your current hardware.
 
Running all these services: gateway antivirus, gateway antispyware, RBL filter with 2 sites, content filtering + VPN on a little TZ170 - it's no wonder you see the tremendous decrease in download throughput with all these enabled!  
  VPN alone (especially if using DES or 3DES for encryption) can eat quite a few CPU cycles on your SonicWall. If possible, you *might* try AES encryption (if not already using it) & MD5 hash (faster but a bit less secure than SHA1) for the site-site VPN links - that is IF the devices on the other end support AES.  But in the end, I'd suggest upgrading if you want better performance...

Agree again w/ pedrow:  Don't believe the marketing hype -- real-world tests as you've just run show that while the TZ170 *can* perform all those services simultaneously, it's not going to be fast.  If you need all these services, I suggest upgrading to a Pro 1260 or better yet a Pro 2040 (if budget allows); if your company has any plans at all for growth, you may be able to justfiy it to get the performance you want.  Go to SonicWall's website, & print out the spec sheets for the larger models compared to the TZ170 & show them to management.

Good luck!
CERTIFIED EXPERT
Top Expert 2010

Author

Commented:
just wanted to make a note...
i had also posted this issue on the Sonicwall forum site.  once i mentioned that disabling AV/AS improved the speed, i discovered that many other people are encountering the same problem with this sonicwall model.  seems that the 170 doesn't handle deep level packet inspection very well.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.