Troubleshooting Network throughput, Latency, and Bandwidth Issues with a SonicWall UTM

03/26/2020 5414 63003

DESCRIPTION:

RESOLUTION:

NOTE: Please perform the following steps in the order they're presented and test the throughput after each change. 

Maximum Transmission Unit (MTU) of the WAN interface of the SonicWall

1. Click Manage in the top navigation menu.
2. Click Network | Interfaces and opening the Interface in question.
   
   The Maximum Transmission Unit size is the maximum size of an Ethernet frame being sent out through a network device. By default this value is 1500 bytes but on xDSL and cable connections this value is often lowered to achieve a more stable connection and/or better performance. Common values are: 1492 SDSL / 1460 ADSL / 1404 Cable. The MTU value is changed in increments of 8 bytes. In the SonicWall WAN interface this value is by default 1500 bytes.
   
   

   TIP: Change the MTU size after determining the optimum MTU size in order to prevent unnecessary fragmentation. Refer the following article to determine the optimum MTU value: Determining the MTU Value for Your Internet Connection.

Fragment non-VPN outbound packets larger than this Interface's MTU

1. Click Manage in the top navigation menu.
2. Click Network | Interfaces and opening the Interface in question.This checkbox setting works in tandem with MTU, and is enabled by default. Having this option enabled is a Best Practice and will help ensure the SonicWall isn't forwarding packets with a larger MTU than can be used on the Interface.
    
   

   TIP:  Enable this option under Network | Interfaces | WAN Interface | Advanced Tab.
   
   

Ignore Don't Fragment (DF) Bit

1. Click Manage in the top navigation menu.
2. Navigate to Network | Interfaces and opening the Interface in question.
3. Enabling this option would fragment packets even though the Don't Fragment bit is set. By default this option is unchecked in the WAN interface advanced settings and it is recommended to keep it unchecked.
   
   

   TIP: Disable this option under Network | Interfaces| WAN Interface | Advanced Tab.

   
   

Link Speed settings of the WAN and other Interfaces

1. Click Manage in the top navigation menu.
2. Click Network | Interfaces and opening the Interface in question.
3. By default all Interfaces on the SonicWall are set to automatically detect link speed. However, in certain deployments, the link speed settings should be manually set according to the device connected to the Interface. Please contact your ISP or device manufacturer of the device connected to the WAN Interface to find their best Duplex and Link Speed settings. Incorrect duplex settings of your WAN, for instance, would have the following harmful effects.

• Unable to negotiate a connection with the ISP
• An Inconsistent Internet connection
• Dropped Packets
• Slow Throughput
  
  

  TIP: Check with the manufacturer for all devices directly connected to a SonicWall Interface and make sure the Duplex and Link Speed Settings are optimally set. Change the relevant settings under Network | Interfaces| WAN Interface | Advanced Tab.

  
  
  

Bandwidth Management

1. Click Manage in the top navigation menu.
2. Navigate to  Firewall Settings | Bandwidth Management.
3. You can apply bandwidth management to both outbound and inbound traffic on the Interfaces associated with the WAN Zone. Enabling it entails entering the bandwidth values (in Kbps) available for the Interface. Bandwidth management will cause throughput degradation if incorrectly configured.
   

   EXAMPLE: If Bandwidth Management has been enabled on an Interface without specifying the bandwidth values, inbound and outbound traffic traversing that link will be throttled to the default values (384Kbps).
    

   TIP: Disable Bandwidth Management if not required via Firewall Settings | Bandwidth Management on the SonicWall GUI.

    

Enable Fragmented Packet Handling in VPN Advanced Settings

1. Click Manage in the top navigation menu.
2. Navigate to VPN | Advanced Settings.
3. enabling fragmentation would help SonicWall handle fragmented IPsec packets. This can affect the SonicWall's WAN throughput if any VPN policies are configured and Enabled, even if they aren't established.
   
   
   

   TIP: It is recommended to enable this option and leave the Ignore DF Bit option unchecked under VPN | Advanced Settings on the SonicWall GUI.

Allow Fragmented Packets in Access Rules

1. Click Manage in the top navigation menu.
2. Navigate to Rules | Access Rules and configuring the desired access rule.
3. This option is Enabled by default and the best practice would be to keep it enabled.
   
   

   TIP: Make sure that all Access Rules under Rules | Access Rules have the Allow Fragmented Packets Checkbox Enabled.

Check the Connections Monitor to determine whether hosts on the network are using large number of connections

1. Click Investigate in the top navigation menu.
2. Click Connections Logs.
3. If a host in the network is infected with malware it will often open, at random, hundreds or thousands of connections to the Internet or internal resources. The Connections Monitor displays real-time views of all connections to and through the SonicWall security appliance allowing you to find infected hosts and remove them from the network.
   

   TIP:Isolate the affected host and remove it from the network. The Connection Monitor is available under Investigate in the top navigation menu | Connection Logs.

   
   

Set Name Resolution to None

1. Click Manage in the top navigation menu.
2. Navigate to Log Settings | Name Resolution.High traffic networks will result in high amounts of DNS queries for the SonicWall as it attempts to generate log entries. By default, the SonicWall will populate the DNS Address for log entries resulting from Security Services, firewall Access Rules, and the like.
   
   

   TIP: Change Name Resolution under Log Settings | Name Resolution to None.

   
   

Performance Optimized Security Services

1. Click Manage in the top navigation menu.
2. Navigate to  Security Services | Base Setup.
3. For throughput Best Practices we recommend setting the Security Services Settings to Performance Optimized. This will inspect and block packets who match Signatures matching Medium or High Priority Threat probability. Blocking Low Threat Probability traffic will unnecessarily drop packets such as ICMP and is not recommended for most deployments.
   

   TIP: Change Security Services Settings under Security Services | Base Setup to Performance Optimized. Also Disable Low Priority Attacks under Prevent All for both Intrusion Prevention and Anti-Spyware.
   
   

Path Ping to a Remote Network

1. To help rule out or prove an issue with a device or network above the SonicWall you can use Path Ping. This command line utility will both Ping and track the latency on the route to a target destination, providing you feedback on if a particular hop is latent, packets are being incorrectly routed, etc.
   

   TIP: Perform a Path Ping to the network or IP Address that you're testing to. You can find out more about Path Ping by reading the linked Microsoft Technet Article. 

   

Physical Network

1. If the above troubleshooting fails to yield an increase in throughput, it is often necessary to try removing the SonicWall from the physical network and retest the speeds. Increases in throughput when removing the SonicWall from the physical network are expected but it is important to have information on speeds with and without the SonicWall in place for further troubleshooting. It can also be beneficial to directly connect a host to the ISP handoff device and test for a throughput issue on the ISP side.
2. Furthermore, we recommend doing an iPerf Test on the SonicWall to test for physical issues on the SonicWall's Interfaces. This requires that the SonicWall be taken out of the network line temporarily in order to avoid involving other network devices that could alter the results.
   
   

   TIP: Remove the SonicWall from the physical network after getting a baseline of the network throughput. Test the throughput using the same tools and note the difference. While the SonicWall is out of the network, perform an iPerf Test: How to Use iPerf to Measure Throughput on a SonicWall.