Unable to access certain websites, either slow or completely failing

08/19/2021 1551 28545

DESCRIPTION:

Unable to access certain websites, either slow or completely failing.

RESOLUTION:

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

1. Check MTU settings on the WAN interface(s).  An incorrect MTU is the most common cause of web browsing issues through SonicWall UTM appliances.
   Go to Network | System | Interfaces and click the pencil to edit the configuration.
   Select Advanced tab | Interface MTU.
   
      
   
   TIP:UTM: How to change the MTU size on the SonicWall UTM appliance? and UTM: How to Optimize PPPoE MTU?    
   
2. Determine if CFS is blocking the site in question due to policy.  If CFS is being used, then it may be blocking the traffic to the site you are attempting to reach.  Ensure that the Security Services log category is configured for logging on the Device|Log |Settings  configuration screen and then check your logs for indications of CFS blocking.  After determining that CFS is blocking due to policy, you must modify the categories or create a domain exclusion to allow the traffic.
   
       
   
    TIP: For info on Content Filtering Service (CF3)3.0 for SonicOS 5.8 and above.
   
3. Determine if CFS is blocking due to lack of host header in the first HTTP packet.  CFS checks the hostname listed in the HTTP host header to determine the category of the site in question.  If the first HTTP packet does not include the complete host header, then CFS will drop the connection without logging.  If you are able to access the site without CFS enabled, this may be the cause.  In this case, you must toggle the Enforce Host Tag Search for CFS setting on the diag.html page of the management GUI.  It is recommended that you contact SonicWall technical support for assistance with this operation.
   
         
   
   
4. Check whether Enable HTTP Byte-Range requests with Gateway AV  the SonicWall GAV by default  suppresses the use of HTTP byte-range requests to prevent the sectional retrieval and reassembly of the potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this option you will override this setting.
5. Navigate to Policy | Security Services | Gateway Anti-Virus | Configure.
   
        
   
                         
   

 TIP: Unable to access City or State Sponsored sites such as www.state.nj.us behind a SonicWall firewall: Unable To Access City Or State Sponsored Sites Behind A SonicWall Firewall.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

1.  Check MTU settings on the WAN interface(s).  An incorrect MTU is the most common cause of web browsing issues through SonicWall UTM appliances.
   Go to Manage | Network | Interfaces and click the pencil to edit the configuration.
   Select Advanced tab | Interface MTU.
   
   
   TIP: UTM: How to change the MTU size on the SonicWall UTM appliance? and UTM: How to Optimize PPPoE MTU?    
   
   
2. Determine if CFS is blocking the site in question due to policy.  If CFS is being used, then it may be blocking the traffic to the site you are attempting to reach.  Ensure that the Security Services log category is configured for logging on the Manage | Log Settings | Base Setup configuration screen and then check your logs for indications of CFS blocking.  After determining that CFS is blocking due to policy, you must modify the categories or create a domain exclusion to allow the traffic.
   
   

   TIP: For info on Content Filtering Service (CF3)3.0 for SonicOS 5.8 and above.

3. Determine if CFS is blocking due to lack of host header in the first HTTP packet.  CFS checks the hostname listed in the HTTP host header to determine the category of the site in question.  If the first HTTP packet does not include the complete host header, then CFS will drop the connection without logging.  If you are able to access the site without CFS enabled, this may be the cause.  In this case, you must toggle the Enforce Host Tag Search for CFS setting on the diag.html page of the management GUI.  It is recommended that you contact SonicWall technical support for assistance with this operation.
   
   
   
4. Check whether Enable HTTP Byte-Range requests with Gateway AV  the SonicWall GAV by default  suppresses the use of HTTP byte-range requests to prevent the sectional retrieval and reassembly of the potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this option you will override this setting.
5. Navigate to Manage | Security Services | Gateway Anti-Virus | Configure AV Settings.  
   

   TIP: Unable to access City or State Sponsored sites such as www.state.nj.us behind a SonicWall firewall: Unable To Access City Or State Sponsored Sites Behind A SonicWall Firewall.
   
   
   
   

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

1. Check MTU settings on the WAN interface(s).  An incorrect MTU is the most common cause of web browsing issues through SonicWall UTM appliances.
   UTM: How to change the MTU size on the SonicWall UTM appliance? 
   UTM: How to Optimize PPPoE MTU? 
   
   
2. Determine if CFS is blocking the site in question due to policy.  If CFS is being used, then it may be blocking the traffic to the site you are attempting to reach.  Ensure that the Security Services log category is configured for logging on the Log | Categories configuration screen and then check your logs for indications of CFS blocking.  After determining that CFS is blocking due to policy, you must modify the categories or create a domain exclusion to allow the traffic.
   

   TIP: For info on Content Filtering Service (CF3)3.0 for SonicOS 5.8 and above.

3. Determine if CFS is blocking due to lack of host header in the first HTTP packet.  CFS checks the hostname listed in the HTTP Host header to determine the category of the site in question.  If the first HTTP packet does not include the complete host header, then CFS will drop the connection without logging.  If you are able to access the site without CFS enabled, this may be the cause.  In this case, you must toggle the Enforce Host Tag Search for CFS setting on the diag.html page of the management GUI.  It is recommended that you contact SonicWall technical support for assistance with this operation.
   
4. Check whether Enable HTTP Byte-Range requests with Gateway AV  the SonicWall GAV by default  suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly of the potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this option you will override this setting.
   
   

   TIP: Unable to access City or State Sponsored sites such as www.state.nj.us behind a SonicWall firewall: Unable To Access City Or State Sponsored Sites Behind A SonicWall Firewall