Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Troubleshooting Network throughput, Latency, and Bandwidth Issues with a SonicWall UTM

10/05/2022 8,185 People found this article helpful 255,355 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article gives a list of possible reasons causing throughput and performance issues in the SonicWall UTM appliance.

    Each SonicWall UTM appliance series has different performance capabilities depending upon hardware specifications such as the CPU, the RAM or the Flash memory. It is recommended to check the particular device's capabilities before deciding that the performance related issues with the device is due to other factors.

    You can find the information for your device on our Products Page.

    CAUTION: Please keep in mind that Speed testing sites are not an accurate depiction of network throughput. There are many factors that impact throughput before packets egress the SonicWall and make the return trip to the host that's performing the speed test. We strongly recommend examining your network as a whole when troubleshooting any throughput issues.

    Resolution

    NOTE: Please perform the following steps in the order they're presented and test the throughput after each change. 

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

    Maximum Transmission Unit (MTU) of the WAN interface of the SonicWall

    1. Click on Network on the top Navigation Menu.
    2. Click System | Interfaces and Configure the WAN interface in question.

      The Maximum Transmission Unit size is the maximum size of an Ethernet frame being sent out through a network device. By default, this value is 1500 bytes but on xDSL and cable connections this value is often lowered to achieve a more stable connection and/or better performance. Common values are: 1492 SDSL / 1460 ADSL / 1404 Cable. The MTU value is changed in increments of 8 bytes. In the SonicWall WAN interface, this value is by default 1500 bytes.

      Image

      TIP: Change the MTU size after determining the optimum MTU size in order to prevent unnecessary fragmentation. Refer to the following article to determine the optimum MTU value: How can I determine the MTU size of WAN interfaces to optimize throughput? | SonicWall

    Fragment non-VPN outbound packets larger than this Interface's MTU

    1. Click on Network on the top Navigation Menu.
    2. Click on System | Interfaces and Configure the WAN interface in question. This checkbox setting works in tandem with MTU and is enabled by default. Having this option enabled is a Best Practice and will help ensure the SonicWall isn't forwarding packets with a larger MTU than can be used on the Interface.

      Image

      TIP: Enable this option under Network | System | Interfaces | WAN Interfaces | Advanced Tab

    Ignore Don't Fragment (DF) Bit

    1. Click on Network on the top Navigation Menu.
    2. Click on System | Interfaces and Configure the WAN interface in question.
    3. Enabling this option would fragment packets even though the Don't Fragment bit is set. By default, this option is unchecked in the WAN interface advanced settings and it is recommended to keep it unchecked.

      Image

      TIP: Enable this option under Network | System | Interfaces | WAN Interfaces | Advanced Tab

    Link Speed settings of the WAN and other Interfaces

    1. Click on Network on the top Navigation Menu.
    2. Click on System | Interfaces and Configure the WAN interface in question.
    3. By default, all Interfaces on the SonicWall are set to automatically detect link speed. However, in certain deployments, the link speed settings should be manually set according to the device connected to the Interface. Please contact your ISP or device manufacturer of the device connected to the WAN Interface to find their best Duplex and Link Speed settings. Incorrect duplex settings of your WAN, for instance, would have the following harmful effects.

      • Unable to negotiate a connection with the ISP
      • An Inconsistent Internet connection
      • Dropped Packets
      • Slow Throughput

        Image


        TIP: 
        Check with the manufacturer for all devices directly connected to a SonicWall Interface and make sure the Duplex and Link Speed Settings are optimally set. Change the relevant settings under Network | System | Interfaces | WAN interface | Advanced Tab.

    Bandwidth Management

    Make sure the Bandwidth Management is disabled on the LAN and WAN interfaces and on the access rules.

    1. To disable Bandwidth Management on the Interface, Click on Network | System | Interfaces (Edit LAN and WAN) | Advanced Tab.

      Image

    2. To disable Bandwidth Management on the Access Rules. Click on Policy | Rules and Policies | Access Rules | Configure access rule from LAN to WAN |Traffic shaping, make sure Bandwidth management is disabled.

      Image

    Enable Fragmented Packet Handling in VPN Advanced Settings

    1. Click on Network on the top Navigation Menu.
    2. Navigate to IPsec VPN | Advanced.
    3. Enabling fragmentation (Enable Fragmented Packet Handling) would help SonicWall handle fragmented IPsec packets. This can affect SonicWall's WAN throughput if any VPN policies are configured and enabled, even if they aren't established.

      Image

      TIP: It is recommended to enable this option and leave the Ignore DF Bit option unchecked under IPsec | Advanced on the SonicWall GUI.

    Allow Fragmented Packets in Access Rules

    1. Click on Policy in the top Navigation menu.
    2. Navigate to Rules and Policies | Access rules and configure the desired access rule.
    3. This option is enabled by default and the best practice would be to keep it enabled.

      Image

      TIP: Make sure that all Access Rules under Rules and Policies | Access Rules have the Allow Fragmented Packets Checkbox Enabled.

    Check the Connections Monitor to determine whether hosts on the network are using a large number of connections

    1. Click on Monitor in the top Navigation menu.
    2. Navigate to Tools and Monitors | Connections.
    3. If a host in the network is infected with malware it will often open, at random, hundreds or thousands of connections to the Internet or internal resources.
      The Connections displays real-time views of all connections to and through the SonicWall security appliance allowing you to find infected hosts and remove them from the network.

      TIP: Isolate the affected host and remove it from the network.

    Set Name Resolution to None

    1. Click Device on the Top Navigation menu.
    2. Navigate to Log | Name Resolution. High traffic networks will result in high amounts of DNS queries for the SonicWall as it attempts to generate log entries. By default, the SonicWall will populate the DNS Address for log entries resulting from Security Services, firewall Access Rules, and the like.

      Image

      TIP: Change Name Resolution under Device | Log | Name Resolution to None.

    Performance Optimized Security Services

    1. Click Policy on the Top Navigation menu.
    2. Navigate to Security Services | Summary.
    3. For throughput Best Practices we recommend disabling Enhanced Security. This will inspect and block packets who match Signatures matching Medium or High Priority Threat probability. Blocking Low Threat Probability traffic will unnecessarily drop packets such as ICMP and is not recommended for most deployments.

      Image

      TIP: Also Disable Low Priority Attacks under Prevent All for both Intrusion Prevention and Anti-Spyware.

    Path Ping to a Remote Network

    To help rule out or prove an issue with a device or network above the SonicWall you can use Path Ping. This command line utility will both Ping and track the latency on the route to a target destination, providing you feedback on if a particular hop is latent, packets are being incorrectly routed, etc.

    TIP: Perform a Path Ping to the network or IP Address that you're testing to. 
    https://technet.microsoft.com/en-us/library/bb490964.aspx


    Physical Network

    1. If the above troubleshooting fails to yield an increase in throughput, it is often necessary to try removing the SonicWall from the physical network and retest the speeds. Increases in throughput when removing the SonicWall from the physical network are expected but it is important to have information on speeds with and without the SonicWall in place for further troubleshooting. It can also be beneficial to directly connect a host to the ISP handoff device and test for a throughput issue on the ISP side.

      NOTE: If speed tests show higher speeds with a host directly connected to the ISP modem/handoff device, check if the host is getting a private IP (DHCP). If the host is assigned with a private IP (DHCP) from the ISP modem, configure the WAN interface in DHCP mode instead of Static IP and test the speeds.

    2. Furthermore, we recommend doing an iPerf Test on the SonicWall to test for physical issues on the SonicWall's Interfaces. This requires that the SonicWall be taken out of the network line temporarily in order to avoid involving other network devices that could alter the results.

      TIP: Remove the SonicWall from the physical network after getting a baseline of the network throughput. Test the throughput using the same tools and note the difference. While the SonicWall is out of the network, perform an iPerf Test: How to use iPerf to measure throughput on a SonicWall device? | SonicWall

    NOTE: Please perform the following steps in the order they're presented and test the throughput after each change. 

    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


    Maximum Transmission Unit (MTU) of the WAN interface of the SonicWall

    1. Click Manage in the top navigation menu.
    2. Click Network | Interfaces and opening the Interface in question.

      The Maximum Transmission Unit size is the maximum size of an Ethernet frame being sent out through a network device. By default this value is 1500 bytes but on xDSL and cable connections this value is often lowered to achieve a more stable connection and/or better performance. Common values are: 1492 SDSL / 1460 ADSL / 1404 Cable. The MTU value is changed in increments of 8 bytes. In the SonicWall WAN interface this value is by default 1500 bytes.
      Image

      TIP: Change the MTU size after determining the optimum MTU size in order to prevent unnecessary fragmentation. Refer the following article to determine the optimum MTU value: Determining the MTU Value for Your Internet Connection.


    Fragment non-VPN outbound packets larger than this Interface's MTU

    1. Click Manage in the top navigation menu.
    2. Click Network | Interfaces and opening the Interface in question.This checkbox setting works in tandem with MTU, and is enabled by default. Having this option enabled is a Best Practice and will help ensure the SonicWall isn't forwarding packets with a larger MTU than can be used on the Interface.
       Image

      TIP:  Enable this option under Network | Interfaces | WAN Interface | Advanced Tab.

    Ignore Don't Fragment (DF) Bit

    1. Click Manage in the top navigation menu.
    2. Navigate to Network | Interfaces and opening the Interface in question.
    3. Enabling this option would fragment packets even though the Don't Fragment bit is set. By default this option is unchecked in the WAN interface advanced settings and it is recommended to keep it unchecked.
      Image

      TIP: Disable this option under Network | Interfaces| WAN Interface | Advanced Tab.


    Link Speed settings of the WAN and other Interfaces

    1. Click Manage in the top navigation menu.
    2. Click Network | Interfaces and opening the Interface in question.
    3. By default all Interfaces on the SonicWall are set to automatically detect link speed. However, in certain deployments, the link speed settings should be manually set according to the device connected to the Interface. Please contact your ISP or device manufacturer of the device connected to the WAN Interface to find their best Duplex and Link Speed settings. Incorrect duplex settings of your WAN, for instance, would have the following harmful effects.
    • Unable to negotiate a connection with the ISP
    • An Inconsistent Internet connection
    • Dropped Packets
    • Slow Throughput
      Image

      TIP: Check with the manufacturer for all devices directly connected to a SonicWall Interface and make sure the Duplex and Link Speed Settings are optimally set. Change the relevant settings under Network | Interfaces| WAN Interface | Advanced Tab.



    Bandwidth Management

    1. Click Manage in the top navigation menu.
    2. Navigate to  Firewall Settings | Bandwidth Management.
    3. You can apply bandwidth management to both outbound and inbound traffic on the Interfaces associated with the WAN Zone. Enabling it entails entering the bandwidth values (in Kbps) available for the Interface. Bandwidth management will cause throughput degradation if incorrectly configured.

      EXAMPLE: If Bandwidth Management has been enabled on an Interface without specifying the bandwidth values, inbound and outbound traffic traversing that link will be throttled to the default values (384Kbps).
       Image

      TIP: Disable Bandwidth Management if not required via Firewall Settings | Bandwidth Management on the SonicWall GUI.

       

    Enable Fragmented Packet Handling in VPN Advanced Settings

    1. Click Manage in the top navigation menu.
    2. Navigate to VPN | Advanced Settings.
    3. enabling fragmentation would help SonicWall handle fragmented IPsec packets. This can affect the SonicWall's WAN throughput if any VPN policies are configured and Enabled, even if they aren't established.

      Image

      TIP: It is recommended to enable this option and leave the Ignore DF Bit option unchecked under VPN | Advanced Settings on the SonicWall GUI.

    Allow Fragmented Packets in Access Rules

    1. Click Manage in the top navigation menu.
    2. Navigate to Rules | Access Rules and configuring the desired access rule.
    3. This option is Enabled by default and the best practice would be to keep it enabled.
      Image

      TIP: Make sure that all Access Rules under Rules | Access Rules have the Allow Fragmented Packets Checkbox Enabled.

    Check the Connections Monitor to determine whether hosts on the network are using large number of connections

    1. Click Investigate in the top navigation menu.
    2. Click Connections Logs.
    3. If a host in the network is infected with malware it will often open, at random, hundreds or thousands of connections to the Internet or internal resources. The Connections Monitor displays real-time views of all connections to and through the SonicWall security appliance allowing you to find infected hosts and remove them from the network.

      TIP:Isolate the affected host and remove it from the network. The Connection Monitor is available under Investigate in the top navigation menu | Connection Logs.


    Set Name Resolution to None

    1. Click Manage in the top navigation menu.
    2. Navigate to Log Settings | Name Resolution.High traffic networks will result in high amounts of DNS queries for the SonicWall as it attempts to generate log entries. By default, the SonicWall will populate the DNS Address for log entries resulting from Security Services, firewall Access Rules, and the like.
      Image

      TIP: Change Name Resolution under Log Settings | Name Resolution to None.


    Performance Optimized Security Services

    1. Click Manage in the top navigation menu.
    2. Navigate to  Security Services | Base Setup.
    3. For throughput Best Practices we recommend setting the Security Services Settings to Performance Optimized. This will inspect and block packets who match Signatures matching Medium or High Priority Threat probability. Blocking Low Threat Probability traffic will unnecessarily drop packets such as ICMP and is not recommended for most deployments.

      TIP: Change Security Services Settings under Security Services | Base Setup to Performance Optimized. Also Disable Low Priority Attacks under Prevent All for both Intrusion Prevention and Anti-Spyware.

    Path Ping to a Remote Network

    1. To help rule out or prove an issue with a device or network above the SonicWall you can use Path Ping. This command line utility will both Ping and track the latency on the route to a target destination, providing you feedback on if a particular hop is latent, packets are being incorrectly routed, etc.

      TIP: Perform a Path Ping to the network or IP Address that you're testing to. You can find out more about Path Ping by reading the linked Microsoft Technet Article. 

      Image

    Physical Network

    1. If the above troubleshooting fails to yield an increase in throughput, it is often necessary to try removing the SonicWall from the physical network and retest the speeds. Increases in throughput when removing the SonicWall from the physical network are expected but it is important to have information on speeds with and without the SonicWall in place for further troubleshooting. It can also be beneficial to directly connect a host to the ISP handoff device and test for a throughput issue on the ISP side.

      NOTE: If speed tests show higher speeds with a host directly connected to the ISP modem/handoff device, check if the host is getting a private IP (DHCP). If the host is assigned with a private IP (DHCP) from the ISP modem, configure the WAN interface in DHCP mode instead of Static IP and test the speeds.
    2. Furthermore, we recommend doing an iPerf Test on the SonicWall to test for physical issues on the SonicWall's Interfaces. This requires that the SonicWall be taken out of the network line temporarily in order to avoid involving other network devices that could alter the results.

      TIP: Remove the SonicWall from the physical network after getting a baseline of the network throughput. Test the throughput using the same tools and note the difference. While the SonicWall is out of the network, perform an iPerf Test: How to Use iPerf to Measure Throughput on a SonicWall.

    Related Articles

    • How to change the HTTP and HTTPS management ports on UTM Appliances using CLI
    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI

    Categories

    • Firewalls > NSa Series > Networking
    • Firewalls > NSv Series > Networking
    • Firewalls > TZ Series > Networking

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top