Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

WAN Connectivity and Self-diagnosis (MTU)

03/26/2020 59 People found this article helpful 198,287 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Troubleshooting: WAN Connectivity and Self-diagnosis (MTU)

    Resolution

    1. What kind of issues may caused by MTU

    The bandwidth of your WAN connectivity is wide enough for WAN applications (include VPN), but you are encountering following issues.
    1.  You can open only a part of pages of a website.
    2. For some online applications (e.g. games, videos), sometimes the surf speed is evidently getting slower.
    3. Applications of some websites are sucked or blocked while there is no forbidden policy (App Rule) configured.

    In summary, if there is no packet drop but the Internet speed is sometimes fast and sometimes slow, to a large extent, it may caused by improper MTU value.

    2. Root Cause Analysis

    2.1 MTU and related Concepts.

    When a packet (IPv4) traverses to a device with an MTU smaller than the packet size, the device will deal with the packet depending on the DF option bit. If the DF bit is set, the device will drop the packet and send back an "ICMP Fragmentation Needed" message with its MTU. If the DF bit is not set, the packet will be fragmented and sent to the destination.

    • MTU (Maximum Transmission Unit):  The maximum size (in bytes ) of the largest protocol data unit that the layer can pass onwards. MTU parameters usually appear in association with a communications interface.
    • PMTU (Path Maximum Transmission Unit): The smallest MTU on the full transmission path (between the source and the destination node).
    • PMTU Discovery: The technique in computer networking for determining the MTU size on the network with the goal of avoiding IP fragmentation.
      Image
    • DF Bit: DF (Don't Fragment) bit in the IP header.
      Image

    2.2 Why MTU may lead to such problems

    PMTU Black Hole:  In today's network, if the source device supports PMTU Discovery, it will set the DF option bit in the IP header of the packet. When a device with a smaller MTU receives the packet, it will send back an ICMP message with the MTU size. The source will adjust the packet size according to the received message then the size of next packets will not exceed the PMTU and transmit without fragment.  But during transmission, the packet may encounter PMTU black hole. When the packet with DF option bit set arrives at a device (e.g. router) with smaller MTU, the device drops the packet directly without sending back ICMP message. In such scenario, the source device cannot discover the PMTU and continuously send the packet with the bigger MTU. As a result, the application will be blocked.

    Image

    Poor Fragmentation Capability:  A packet transmitting from the source to the destination may traverse a large number of devices from various vendors.  Some of these devices may have poor fragmentation performance. When the application data need to traverse a device with poor capability for fragment and reassembly, the online application traffic may get slow or even blocked.

    Image

    Influences from Security Devices:  In principle, the fragment and reassembly for an Internet application packet  only occurs at the source and destination devices. However, when the fragmented packet traverses a network monitor or security appliance, these devices may require to reassemble the fragmented packet for some particular purposes (e.g. security requirement) . Such behavior may further slower the traffic speed of the application and even cause dis-connectivity.

    Image


    3. How to Troubleshoot:

    • Step.1. Check whether you are encountering the above issues listed in section 1.

    Internet speed is sometimes fast and sometimes slow or only apart of web pages cannot open.

    • Step 2. If there is any relevant policy enabled (e.g. CFS Policy or App Rule which may block or do the flow control for the application),  login to the firewall | navigate to Security Services | Content Filter and Firewall | App Rules page to check.

    Image 

    • Step 3. If there is no policy related has been configured, navigate to page System | Packet Monitor, you can capture the packet on the WAN interface to monitor whether there is any application related packet has been dropped.

    Image
    Note: 
    If there is no packet reported dropped, there is a strong possibility that the issue is caused by MTU.

    • Step4.  Go to page System | Diagnostics,  from version 5.9 and above, SonicWall firewall provides a  PMTU Discovery tool. Enter the IP address or host name of the online application and click button Go, system will report the PMTU.

    Image Note: if there is no result,  there is maybe a PMTU black hole. Go to Step5.

    • Step 5.  No result gets from PMTU Discovery Tool, following is the table of default MTUs for various networks. For your reference.
    Network Type MTU (Bytes) Reference
    Max Value  65535 RFC 791
    Min Value 68 RFC 791
    FDDI 4352  
    Ethernet 1500  
    IEEE 802.3 1492  
    PPPoE 1492  
    Cisco GRE 1476  
    X.25 576  
    PPP 296  

     

    • Step 6.  Set the appropriate value on the WAN interface of the firewall (Default value is 1500). Go to Network | Interface page | Click the Edit button of WAN interface | Click tab Advanced | set the value to the Interface MTU field .

    Image

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top