Get started >
Get in contact with SonicWall Authorized Distributors. >
Get In Touch >
Get expert guidance >
Partner to win with SonicWall.
A sophisticated enablement platform designed to train partners.
Access to deal registration, MDF, sales and marketing tools, training and more.
Join the SecureFirst Partner Program.
Get in contact with the SonicWall Authorized Distributors.
Extensive technical training curriculum for partners.
Learn about SonicWall technology and alliance partners. >
Expand your managed security offerings with the MSSP Program and Security-as-a-Service (SECaaS). >
Contact the SonicWall Channel team. >
Find the answers to your questions by searching or browsing our knowledge base.
Our Support Videos help you set-up, manage and troubleshoot your SonicWall appliance or software
Get official SonicWall Technical Documentation for your product.
Professional Services delivered by SonicWall Partners
Review our Support Offerings and Policies
Develop SonicWall product expertise and earn industry recognized Certifications
Create a support ticket or contact us by phone >
Manage license, services software and firmware for SonicWall products >
Obtain a quote or renew a support contract >
See how we solve complex network security threats for customers like you
Learn about network security threats and how to stop them with SonicWall white papers.
Learn how our customers prevent complex network security threats around the globe.
News, trends and insights from SonicWall security experts
Get expert guidance on best practice solutions to fit your needs
Get details on SonicWall product features, specifications and ordering in our datasheets.
While using a 6.2.x firmware version on your SonicWall Appliance, your SSL-VPN users are reporting that they can't connect using Mobile Connect or NetExtender when sitting behind an Apple AirPort Extreme device. From the same machine, the SSL-VPN users can connect just fine from a different location, not behind this AirPort Extreme.
The issue occurs on Windows, Linux, iOS and Android Operating Systems.
The issue starts at the TCP three-way handshake for the SSL connection with the Apple Airport.
Sometimes the Apple AirPort will drop the third ACK packet from the client behind it or it will merge this packet into the next SSL Client Hello.
In the firewall side, when it receives a TCP SYN packet and then answer with a SYN/ACK, it will hope for an ACK to complete the TCP three-way handshake. However, sometimes it only gets an SSL Client Hello. Theoretically, the TCP three-way handshake can be finished by treating this packet as third ACK + data. Octean Firewalls can handle this situation, however, New Generation firewalls don't.
The solution for our SSL-VPN connections to work behind an Apple AirPort Device is to disable TCP_DISABLE_DACK option to support incomplete TCP three-way handshake like this.
There is 100ms latency for the first TCP data packet from a client when encountering an incomplete TCP three-way handshake. TCP_DISABLE_DACK option only affects the TCP three-way handshake but not the TCP traffic. It’s a different concept with the TCP NEGAL algorithm. Therefore, there are no security concerns to be worried off, nor side effects with this resolution.
Should you face this issue, you can contact our Technical Support Team about DTS 167361 and request a Hotfix for your Appliances running 184.108.40.206-19n or 220.127.116.11-31n.
The fix is included in the SonicOS release 18.104.22.168-15n and higher.
Request a topic for a future Knowledge Base article