Sonicwall behavior with the TCP Zero Window

This article will describe the Sonicwall firewall behavior when it observes the TCP zero window alert in any TCP communication.

TCP Zero Window: When a TCP receiver's buffer begins to fill, it can reduce its receive window. If it fills, it can reduce the window to zero, which tells the TCP sender to stop sending. This is called "closing the window". Typically this indicates that the network is delivering traffic faster than the receiver can process it.

When the receiver closes its receive window, it usually means that it is receiving data faster than it can send it on the peer flow. This is normal in situations where, for example, the server-side network is faster than the client-side network, and there is a large transfer from the server to the client. 

For the client-server TCP communication, zero window can be normal behavior and the receiver should update the TCP window automatically based on its flow.

However, Sonicwall firewall can treat this as a Denial of Service attack and may reset the TCP stream if it sees the TCP zero window in the communication as shown below :

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

To prevent SonicWall from resetting the TCP stream, we can disable the option in the diag page. Please follow the steps mentioned below.

1. Login into Sonicwall UI.
2. Browse to the Internal Settings page by changing the browser address to https:///sonicui/7/m/mgmt/settings/diag 
3. Under the Firewall Settings section, disable the option 'Protect against TCP State Manipulation DoS', click Accept at the top of the page, and then Exit out of the Internal Settings page.
   
   
   
   

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

To prevent SonicWall from resetting the TCP stream, we can disable the option in the diag page. Please follow the steps mentioned below

1. Login into Sonicwall UI.
2. Browse to the Internal Settings page by changing the browser address to https:///diag.html
3. Under the Firewall Settings section, Disable the option 'Protect against TCP State Manipulation DoS', click Accept at the Bottom of the page, and then Exit out of the Internal Settings page.