• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1467
  • Last Modified:

strange packet loss


I'm using a software called pingplotter and when I ping from LAN going to facebook or cisco I'm getting intermittent packet loss, around 30-40%.

When I use command prompt, the ping is fine no PL.

I tried a different computer, my laptop and same results. I'm using a sonicwall NSA 3500

  • 7
  • 5
1 Solution
Blue Street TechLast KnightsCommented:
Hi gsmith888,

So PingPlotter is the only issue...meaning the results from it are incongruent with the results from all other computers using command prompt? All the computers (LAN/WLAN) are all showing no loss? And this is only occurring with 2 sites (facebook.com & cisco.com)? Am I understanding you correctly?

What version of PingPlotter are you using? There have been some bugs in later versions...I'm wondering if they've resurfaced in related forms. Here was an older bug:
Route discovery logic was too aggressive when high packet loss was on the final destination. Route would lengthen on some occasions and show lower packet loss than it should.
Are you experiencing performance degradation when browsing these sites?
gsmith888Author Commented:

I also suspected the same, but when I plug my laptop to our cisco pix, it was graphing normally to cisco and facebook, I was thinking it's something on the sonicwall?
Blue Street TechLast KnightsCommented:

What version is the SonicOS?

And is it Standard or Enhanced?

I need to know the answers to these questions to provide troubleshooting.

Also, go to Logs > Categories and enable all Categories by clicking the top of the Log Column check box, then click OK.

Re-test and see if anything pops up when you go there.

After that we can do a Packet Capture to figure what is happening but this depends on your SonicOS version & if its Enhanced.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

gsmith888Author Commented:
SonicOS enhanced
Blue Street TechLast KnightsCommented:
OK, thanks for the update.

Did you enable all Categories yet? Anything in the logs yet?

Are the MTU values the same in both the SonicWALL & PIX? If ISP made changes you can resize your MTU by decrementing it by 8 starting at 1500 until you get 0% loss. Open CMD prompt and use 'Ping -f -l www.google.com 1500' to test. Here is a step-by-step: http://www.experts-exchange.com/A_12615.html

Are any of the following checked?
Network > DNS
Enable DNS Rebinding Attack Prevention
      If yes, what is the action?
Firewall Settings > Advanced
Enable IP header checksum enforcement
Enable UDP checksum enforcement
Firewall Settings > Flood Protection
Enforce strict TCP compliance with RFC 793 and RFC 1122
        Enable TCP handshake enforcement
Enable TCP checksum enforcement
Enable TCP handshake timeout
What is the SYN Flood Protection Mode set to?
Security Services > Summary
What is the Security Services Setting to...Performance Optimized or Maximum Security?
Ping is just that, ping.  Pingplotter is a combination of ping and traceroute.

When you are dropping packets is the packets that are truly destine to cisco and facebook, or could it be some of the "traceroute" packets to routers along the path?

When you ping a L3 network devices (router, L3 switches, firewalls) will drop packets that are destine to them or have their TTL exipred.  This is to cut down on the overhead of processing the packet.  When a L3 device has to actually process a packet (resond to a ping, or a packet whose ttl has expired) it takes move overhead than when it just passes a packet through.
gsmith888Author Commented:
All the settings were unchecked. Except for Enable TCP handshake timeout, handshake 30s, default tcp is 15 & max segment lifetime is 8.

I was watching the logs and notice that  

This alert was low priority and base on the IPS policy low alerts are just detect and do nothing.
 2013/09/20 23:19:10.592 Alert Intrusion Prevention IPS Detection Alert: ICMP Time-To-Live Exceeded in Transit, SID: 352, Priority: Low, 8, X1, 512, X0
Blue Street TechLast KnightsCommented:
Ok good. All settings we went over are at defaults then.

IPS: It is just detecting so its fine. If it were preventing it would read as such: Alert Intrusion Prevention IPS Prevention Alert...
TTL was exceed connecting to google DNS (

What about your MTU value? See comment http:#a39507342

Are all Categories enabled for the Logs?
gsmith888Author Commented:
I'm trying to back up the sonicwall before doing anything. I saw a button "create backup" and "export settings" - would you know the difference?
Blue Street TechLast KnightsCommented:
Yes, Create Backup - creates a backup of the SonicWALL image along with your current configuration preferences and stores it internally within the OS.
Export Settings takes your current configuration preferences (settings) and exports it externally so you can import it later if their are problems and you wish to restore.

I prefer the Export Settings because it is external and if things go really south like you have to perform a factory reset you can do so and then import the settings backup and configure nothing!

Here is the proper way to backup the settings: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=5645
gsmith888Author Commented:
logs were all turned on/checked. nothing is being returned for the source and destination. Would it be a good idea to turn off the IPS and then test and see how that goes?
Blue Street TechLast KnightsCommented:
Disable all Security Services as a test. Then one-by-one enable each and retest until you locate the culprit. Once you have found the source, configure it accordingly.
Blue Street TechLast KnightsCommented:
I'm glad I could help...thanks for the points!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now