Solved

SonicWall TZ170 Throttles Broadband Connection Speed?

Posted on 2008-06-22
17
6,071 Views
Last Modified: 2012-05-05
Hi all,

I have a Virgin (previously NTL) cable modem broadband connection with 20Mbps download (soon to be upgraded to 50Mbps). However, when I do a broadband connection speed test at:

http://www.speedtest.bbmax.co.uk/

I only see a download speed of 2084 kbps (i.e. 2Mbps, not 20Mbsp). I have connected my laptop directly into the SonicWall TZ170 (which in turn is connected to the Virgin Cable Modem). I rang Virgin and they confirmed I should be seeing 20000kbps. A Virgin engineer came round, and plugged directly into the cable modem, and got a connection speed of 20Mbps, so looks like it's the SonicWall TZ170 that's throttling the connection.

On the SonicWall Admin interface, on the Network > Settings tab I have a WAN interface with a status of "100 Mbps, full duplex". Under the config for this I have "auto-negotiate", "Proxy management" unticked, "Fragements non-VPN outbound" ticked, "Ignore DF" unticked" and most importantly "Enable Bandwidth Management" unticked. Note, under this option, if I was to throttle it, it has "Available WAN bandwidth (Kbps)" of "20.000" greyed out which is odd.

(I have the same connection speed on another computer too).

Any help much appreciated.

Regards,

Ben.
0
Comment
Question by:webtechy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 3
  • +1
17 Comments
 
LVL 10

Expert Comment

by:budchawla
ID: 21899867
Did you carry out the tests against the same site both times? The speed you get will depend on a number of different factors, but the first thing you need to do is test it against the same site at the same time a couple of times with and without the sonicwall. This will tell you if it is definitely the presence of the SonicWALL thats causing the drop in speed.

Also try turning off GAV/GAS/IPS if you have them on, just to see if that makes a difference.

FYI one of our sites has a TZ170 that connects up to a 10mb fibre connection and that routinely shows upwards of 7-8mbps on www.speedtest.net so it's not that the firewall isn't capable of higher speed connections...
0
 

Expert Comment

by:SymoTech
ID: 21907945
Is your firmware for the TZ170 the Standard or Enhanced?  I've read many comments about bandwidth issues with the Enhanced firmware.  I'm about to implement a TZ170 with enchanced, I'll post my results.
0
 
LVL 2

Author Comment

by:webtechy
ID: 21908902
This is standard firmware. I disabled some of the deep packet inspection services and the bandwidth improved. With them all disabled it went up to 16Mbps briefly (not consistent results) - but usually around 7 - 12Mbps. I have enabled the important ones (e.g. disabled e-mail filtering stuff as that's done on the Exchange server anyway). Am now getting around 3-4Mbps ish (from memory).

I raised a ticket with SonicWall about it, the engineer said it was slow due to the deep packet inspection and pointed me towards the documentation for the firewall. However, that documentation said I should get 20Mbps with pass through and 5Mbps with deep packet inspection. My figures in reality are lower than that. He said to get a faster connection I would need to upgrade. However, finding the connection speed capabilities for the other firewalls is proving as bit elusive ...
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 
LVL 2

Author Comment

by:webtechy
ID: 21908910
NB I would be happy if with all the deep packet inspection I was seeing 5Mbps but don't get half that stated value.
0
 
LVL 10

Expert Comment

by:budchawla
ID: 21909024
Hi,

The site I mentioned above uses GAV/GAS/IPS and I see higher speeds than 5mb? Quite strange but I'm not complaining...
These pages list the throughput for the various models of firewall (scroll down to the firewall/VPN performance section):
http://www.sonicwall.com/uk/TZ_Series.html
http://www.sonicwall.com/uk/PRO_Series.html
http://www.sonicwall.com/uk/TotalSecure_Solutions.html

I haven't linked to the NSA / E-Class pages since I'm guessing you're not going to replace a 170 with one of those :-)

If I were in your place I would get a TZ180 total secure and live with a 10mb connection with better security rather than a 20mb connection with less security... you may have a different view on this! Unless you have the budgetary flexibility - in which case the TS Enterprise (RRP £1625) will do 25mbps!

But I would first harass tech support and see why you're not even getting 5mb from this unit...
0
 
LVL 2

Author Comment

by:webtechy
ID: 21909157
Yeah, looks like the TZ-180 is the option to go for (odd it gives a deep packet inspection for the TZ190 but that doesn't seem to do deep packet inspection).

NB One of my reasons for wanting to increase the speed is to allow maximum connection possible for a site-to-site VPN tunnel. Not sure how to test the speeds of this other than downloading a large file from one site to the other - crude but I guess it would work. And in this instance, it _looks_ like the site-to-site VPN connection speed wouldn't be increased by the TZ190 over the TZ170.
0
 
LVL 2

Author Comment

by:webtechy
ID: 21909172
NB A little confused on the VPN connection speed as the engineer said without enhanced you can't disable deep packet inspection of the VPN connection - and he wouldn't recommend it anyway. So I would have thought you would still get the 5Mbps limit on the VPN connection.
0
 
LVL 2

Author Comment

by:webtechy
ID: 21909186
Anyone know if their are new models coming out that support faster connections but in the same price brackets as the TZ180 that I should hold tight and weight for?
0
 
LVL 10

Accepted Solution

by:
budchawla earned 200 total points
ID: 21909278
"odd it gives a deep packet inspection for the TZ190 but that doesn't seem to do deep packet inspection"
The TZ190 definitely does DPI.... why would you say it doesn't?

If you look at the table the VPN throughput is much higher than the DPI throughput - so if there's a bottleneck I would say it'll be the DPI itself rather than the fact that its VPN traffic.. even if there's additional CPU load on having to do VPN & DPI processing on the same payload.

Take that comment with a pinch of salt - and double-check the facts.. they don't always fully understand what you're asking and even when they do they don't always get it right! It's true that with enhanced you can get much finer control over these settings - but I would think that if you terminate a VPN at your LAN and don't apply NAT & FIrewall rules then there's no deep packet inspection on that traffic? I wouldn't swear to it since it's been a while since I checked this but that would be my guess...
0
 

Expert Comment

by:SymoTech
ID: 21920371
Well I went ahead and installed the TZ170 with enhanced firmware 3.2.3.0.
I was actually worried about spending the time to do this because of all negatives that I've been reading.  I was pleasantly surprised to see that with the enhanced firmware installed, I am still seeing 12 megabit down and 1.5 megabit up with no problem.  I have not tested my VPN throughput yet, but so far so good.  

0
 
LVL 10

Expert Comment

by:budchawla
ID: 21923775
SymoTech,
Are you using deep packet inspection on that unit?
0
 
LVL 2

Author Comment

by:webtechy
ID: 21923805
Symotech, what connection speed where you getting before upgrading to enhanced? Was it just a matter of upgrading the firmware to enhanced, or do you have to re-enter all your settings?
0
 

Assisted Solution

by:SymoTech
SymoTech earned 50 total points
ID: 21935199
budchawla:  No I am currently just setup with the defaults at this point.  But even so, I was told by several people that the CPU in the TZ170 just wasn't up to faster connections, and I saw several people claiming only 3-4 Mbit... even without dpi.

webtechy:  I had removed this TZ170 from operation a while back because of some other frustrations that were directly related to the old firmware. I could not get resolution from SonicWall Support in the past.  At this point, I have installed the new firmware with factory defaults, and have been rebuilding all my rules.  It was a good opportunity to clean things up.  

At this point I have no intentions of running any of their SPAM/VIRUS/etc addons as this is all handled elsewhere, so I think I'll be ok.  
0
 
LVL 2

Author Comment

by:webtechy
ID: 22035148
Quote: "odd it gives a deep packet inspection for the TZ190 but that doesn't seem to do deep packet inspection"  The TZ190 definitely does DPI.... why would you say it doesn't?

See http://www.sonicwall.com/uk/TZ_Series.html first row doesn't have a blue filled dot for DPI for the TZ190 (- mis-read - thought this meant it didn't have it - but it's an optional upgrade.
0
 
LVL 2

Author Closing Comment

by:webtechy
ID: 31469517
Looks like it's an upgrade - although I will be testing the connection speed through the VPN tunnel specifically to see how quick that is.
0
 

Expert Comment

by:AsgharE
ID: 22863069
I have similar issue with TZ150 acd Comcast and Charter Modem (10 MB and 1 MB) speed and not geeting more thn 2.5 MB download even if I disable all security features. I contacted Sonicwall and they suggested to I must upgrade the unit to Pro searies and there is no way to get 10 MB download and 1 MB upload with TZ series period.
Now the question I have is with many people at home offices getting 10 or more MB download with their isp (comcast, Charter, Virizon) how can they afford few thousand dollers firewall to simply getting the bendwidt they want.
Is firewall mfg are way behind from isp?
Anyone have any solution?
0
 

Expert Comment

by:AsgharE
ID: 22863072
I have similar issue with TZ150 acd Comcast and Charter Modem (10 MB and 1 MB) speed and not geeting more thn 2.5 MB download even if I disable all security features. I contacted Sonicwall and they suggested to I must upgrade the unit to Pro searies and there is no way to get 10 MB download and 1 MB upload with TZ series period.
Now the question I have is with many people at home offices getting 10 or more MB download with their isp (comcast, Charter, Virizon) how can they afford few thousand dollers firewall to simply getting the bendwidt they want.
Is firewall mfg are way behind from isp?
Anyone have any solution
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IKEv2 on Palo Alto Networks 5050 FW 2 35
Palo Alto site-to-site vpn monitoring 5 66
Configure IP on Sonicwall 2 41
connect to cisco 2690 series 6 75
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question