Unable to access certain websites, either slow or completely failing
04/19/2021 
1468 
27029
DESCRIPTION:
Unable to access certain websites, either slow or completely failing.
RESOLUTION:
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
- Check MTU settings on the WAN interface(s). An incorrect MTU is the most common cause of web browsing issues through SonicWall UTM appliances.
Go to Network | System | Interfaces and click the pencil to edit the configuration.
Select Advanced tab | Interface MTU.
TIP:UTM: How to change the MTU size on the SonicWall UTM appliance? and UTM: How to Optimize PPPoE MTU?
- Determine if CFS is blocking the site in question due to policy. If CFS is being used, then it may be blocking the traffic to the site you are attempting to reach. Ensure that the Security Services log category is configured for logging on the Device|Log |Settings configuration screen and then check your logs for indications of CFS blocking. After determining that CFS is blocking due to policy, you must modify the categories or create a domain exclusion to allow the traffic.
TIP: For info on Content Filtering Service (CF3)3.0 for SonicOS 5.8 and above.
- Determine if CFS is blocking due to lack of host header in the first HTTP packet. CFS checks the hostname listed in the HTTP host header to determine the category of the site in question. If the first HTTP packet does not include the complete host header, then CFS will drop the connection without logging. If you are able to access the site without CFS enabled, this may be the cause. In this case, you must toggle the Enforce Host Tag Search for CFS setting on the diag.html page of the management GUI. It is recommended that you contact SonicWall technical support for assistance with this operation.
- Check whether Enable HTTP Byte-Range requests with Gateway AV the SonicWall GAV by default suppresses the use of HTTP byte-range requests to prevent the sectional retrieval and reassembly of the potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this option you will override this setting.
- Navigate to Policy | Security Services | Gateway Anti-Virus | Configure.
TIP: Unable to access City or State Sponsored sites such as www.state.nj.us behind a SonicWall firewall: Unable To Access City Or State Sponsored Sites Behind A SonicWall Firewall.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
- Check MTU settings on the WAN interface(s). An incorrect MTU is the most common cause of web browsing issues through SonicWall UTM appliances.
Go to Manage | Network | Interfaces and click the pencil to edit the configuration.
Select Advanced tab | Interface MTU.
TIP: UTM: How to change the MTU size on the SonicWall UTM appliance? and UTM: How to Optimize PPPoE MTU?
- Determine if CFS is blocking the site in question due to policy. If CFS is being used, then it may be blocking the traffic to the site you are attempting to reach. Ensure that the Security Services log category is configured for logging on the Manage | Log Settings | Base Setup configuration screen and then check your logs for indications of CFS blocking. After determining that CFS is blocking due to policy, you must modify the categories or create a domain exclusion to allow the traffic.
TIP: For info on Content Filtering Service (CF3)3.0 for SonicOS 5.8 and above.
- Determine if CFS is blocking due to lack of host header in the first HTTP packet. CFS checks the hostname listed in the HTTP host header to determine the category of the site in question. If the first HTTP packet does not include the complete host header, then CFS will drop the connection without logging. If you are able to access the site without CFS enabled, this may be the cause. In this case, you must toggle the Enforce Host Tag Search for CFS setting on the diag.html page of the management GUI. It is recommended that you contact SonicWall technical support for assistance with this operation.
- Check whether Enable HTTP Byte-Range requests with Gateway AV the SonicWall GAV by default suppresses the use of HTTP byte-range requests to prevent the sectional retrieval and reassembly of the potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this option you will override this setting.
- Navigate to Manage | Security Services | Gateway Anti-Virus | Configure AV Settings.
TIP: Unable to access City or State Sponsored sites such as www.state.nj.us behind a SonicWall firewall: Unable To Access City Or State Sponsored Sites Behind A SonicWall Firewall.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
- Check MTU settings on the WAN interface(s). An incorrect MTU is the most common cause of web browsing issues through SonicWall UTM appliances.
UTM: How to change the MTU size on the SonicWall UTM appliance?
UTM: How to Optimize PPPoE MTU?
- Determine if CFS is blocking the site in question due to policy. If CFS is being used, then it may be blocking the traffic to the site you are attempting to reach. Ensure that the Security Services log category is configured for logging on the Log | Categories configuration screen and then check your logs for indications of CFS blocking. After determining that CFS is blocking due to policy, you must modify the categories or create a domain exclusion to allow the traffic.
TIP: For info on Content Filtering Service (CF3)3.0 for SonicOS 5.8 and above.
- Determine if CFS is blocking due to lack of host header in the first HTTP packet. CFS checks the hostname listed in the HTTP Host header to determine the category of the site in question. If the first HTTP packet does not include the complete host header, then CFS will drop the connection without logging. If you are able to access the site without CFS enabled, this may be the cause. In this case, you must toggle the Enforce Host Tag Search for CFS setting on the diag.html page of the management GUI. It is recommended that you contact SonicWall technical support for assistance with this operation.
- Check whether Enable HTTP Byte-Range requests with Gateway AV the SonicWall GAV by default suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly of the potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this option you will override this setting.
TIP: Unable to access City or State Sponsored sites such as www.state.nj.us behind a SonicWall firewall: Unable To Access City Or State Sponsored Sites Behind A SonicWall Firewall
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
