Sonicwall and TCP ZeroWindow

08/30/2021 0 1050

DESCRIPTION:

This article will describe the Sonicwall firewall behavior when it observes the TCP zero window alert in any TCP communication.

TCP Zero Window: When a TCP receiver's buffer begins to fill, it can reduce its receive window. If it fills, it can reduce the window to zero, which tells the TCP sender to stop sending. This is called "closing the window". Typically this indicates that the network is delivering traffic faster than the receiver can process it.

When the receiver closes its receive window, it usually means that it is receiving data faster than it can send it on the peer flow. This is normal in situations where, for example, the server-side network is faster than the client-side network, and there is a large transfer from the server to the client. 

For the client-server TCP communication, zerowindow can be normal behavior and the receiver should update the TCP window automatically based on its flow.

However, Sonicwall firewall can treat this as Denial of Service attack and may reset the TCP stream if it sees the TCP zero window in the communication as shown below :

RESOLUTION:

This can be avoided by disabling a feature in the internal settings option of the Sonicwall as shown below  :

Step 1: Login into Sonicwall UI.

Step2:  Enter the interal settings option by changing the browser address to:

 https://<ip_address>/diag.html for gen6 devices

 https://<ip_Address>/sonicui/7/m/mgmt/settings/diag for gen7 devices

Step 3: Disable the option 'Protect against TCP State Manipulation DoS' and click accept