• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1725
  • Last Modified:

Download speed

I have a Comcast business class line that I get 100Mb download speeds on when I connect directly to the router but when I rn the test from inside the firewall it drops down to 20Mb.  What could cause such a big difference?  

Comcast>>>>SonicWall>>>>>HP Gb switch>>>>>desktop
0
NytroZ
Asked:
NytroZ
  • 9
  • 7
  • 3
  • +2
1 Solution
 
strivoliCommented:
I'm not sure I've understood correctly... but that might be because the 100Mb are LAN and 20Mb are WAN.
0
 
SouljaCommented:
When you say directly into the router do you mean directly into the Comcast router/modem when you get 100MB speeds?

If so, then your sonicwall may not be able to handle the WANtoLan Throughput of your broadband connection. The Sonicwall also has to inspect traffic which is another point of contention.
0
 
NytroZAuthor Commented:
Yes, that is what I mean.  My Sonic Wall's WAN interface is set to 1000Mb/ Full.  Is there that much latency at the firewall to inspect traffic?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Blue Street TechLast KnightCommented:
Hi torszula,

It depends on your model. What is the model of your SonicWALL, e.g. (TZ 215, NSA 3600)?

If it's an NSA 220 (or higher Gen5/6 device) you're OK. Anything less than that will not pass DPI throughput that high. Stateful throughput...yes (depending on if it's a Gen 5 device). Once I know that I will be able to answer your question more precisely.

Thanks.
0
 
SouljaCommented:
Even if your Sonicwall has a Gig wan interface, that doesn't determine how fast it can transfer data between interfaces. i.e Wan to Lan and vice versa.
0
 
NytroZAuthor Commented:
NSA 220

Firmaware 5.8.1.42o
0
 
Blue Street TechLast KnightCommented:
Yeah you should be fine!

Your unit  has a Stateful throughput of 600 Mbps and a DPI throughput of 110 Mbps.

There must be a misconfiguration within the unit. Bypass the switch and re-test directly connected to the SonicWALL. Post results.

Update your firmware to at least SonicOS 5.9.0.1.100o.
0
 
NytroZAuthor Commented:
I've done that.  I connected directly to an open port on the fw and tested to www.speedtest.net.  Same poor results!

SonicWall>>>>>Comcast Router>>>>.ISP = 20Mbps

Comcast Router>>>>>>ISP = 100 Mbps
0
 
Blue Street TechLast KnightCommented:
When you say,
when I connect directly to the router but when I rn the test from inside the firewall it drops down to 20Mb.
was the term "router" misused here? You should be using a modem from them. If not and it is a router do you have access to it and how is it configured?

Also, update your firmware to at least SonicOS 5.9.0.1.100o. Then re-test & post results.
0
 
NytroZAuthor Commented:
It is a Comcast "modem".  Upgrade to Sonic Wall 5.9 yielded the same results.
0
 
Blue Street TechLast KnightCommented:

1. UTM

An incorrect MTU is the most common cause of web browsing issues through SonicWALL UTM appliances.

Here is an article I wrote on getting the correct MTU value with the testing guide: http://www.experts-exchange.com/A_12615.html 

2. Logs & CFS

Is anything showing up in the logs while you run the test? Go to Log > Categories and select all under the logs column then click OK. Determine if CFS is blocking the site in question due to policy. If CFS is being used, then it may be blocking the traffic to the site you are attempting to reach. Ensure that the Security Services log category is configured for logging on the Log > Categories configuration screen and then check your logs for indications of CFS blocking. After determining that CFS is blocking due to policy, you must modify the categories or create a domain exclusion to allow the traffic.

3. CFS Blocking Headers

Determine if CFS is blocking due to lack of host header in the first HTTP packet. CFS checks the hostname listed in the HTTP Host header to determine the category of the site in question. If the first HTTP packet does not include the complete host header, then CFS will drop the connection without logging. If you are able to access the site without CFS enabled, this may be the cause. In this case, you must toggle the "Enforce Host Tag Search for CFS" setting on the diag.html page of the management GUI.

4. HTTP Byte-Range

Check whether Enable HTTP Byte-Range requests with Gateway AV the SonicWALL GAV by default  suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly of the potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this option you will override this setting.Let me know how it goes!
0
 
SouljaCommented:
Make sure you aren't running half duplex. Sometimes the simple things.
0
 
Blue Street TechLast KnightCommented:
Any updates on this?
0
 
masnrockCommented:
I'd check the MTU first, it should generally be 1500 for cable connections. Also, I'd leave the WAN port of the Sonicwall at autonegotiate, as things do not always play nice when one side is set to a speed and the other isn't. I noticed you also did not mention what model of Sonicwall you are using. If you have a Sonicwall TZ-100, downgrade to 5.8 firmware because 5.9 can cause screwy issues.
0
 
Blue Street TechLast KnightCommented:
@masnrock - it's a 220 (http:#a39583223). I have found more bugs in 5.8 than 5.9.
0
 
NytroZAuthor Commented:
It is a sonic wall 220.  Duplex is set at auto negotiate and MTU at 1500.

Pinging ds-any-fp3-real.wa1.b.yahoo.com [98.139.183.24] with 1500 bytes of dat

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.


Pinging ds-any-fp3-real.wa1.b.yahoo.com [98.139.180.149] with 1468 bytes of da
:
Reply from 98.139.180.149: bytes=1468 time=72ms TTL=51
Reply from 98.139.180.149: bytes=1468 time=67ms TTL=51
0
 
Blue Street TechLast KnightCommented:
I don't understand your last post. Are you saying that 1468 is your optimal MTU after following my instructions here: http:/#a39583568 ? Did you follow all the steps (1-4)?

Is it working now?
0
 
NytroZAuthor Commented:
I'm sorry.....I was away for a bit.  After reading through your post I looked at all of the connections to the Sonic Wall with Connection Manager.  There are over 500 connections and many have a lot of traffic.  I flushed all of the connections and tested.  The test was good.  95 Mbps.  That was yesterday.  Today the issue is back.  20Mbps.  Instead of flushing all of the connections is there a better method to identifying the problem?  We only have 20 users here and they do not use the internet as part of their job.
0
 
Blue Street TechLast KnightCommented:
Interesting.

Connections aren't a problem...an NSA 220 can handle this:
Connections per second       2,200/sec
Maximum connections (SPI)       85,000
Maximum connections (DPI)       32,000

500 connections are nothing to worry about. You shouldn't have to flush anything for your unit to function properly too.

Have you enabled TCP Handshake timeout (Firewall>Advanced)? If so, what are the seconds set to?

Have you enabled any hardending settings or other SYN Flood setting outside of defaults?

Disable all Security Service (CGSS) and re-test, then individually re-enable one security service at a time (GAV, then GAS, then IPS, etc.) until you can isolate the issue.

Post results.
0
 
NytroZAuthor Commented:
What I needed to do to resolve this was set the security services setting to "Performance Optimized".
0
 
Blue Street TechLast KnightCommented:
Glad I could help...thanks for the points!

Yup, Performance Optimized checks only High and Medium threat-level traffic.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 9
  • 7
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now