Home

Safari and Sonicwall

Posted October 16th, 2007 by Edward Marczak

Recently, some networks that I've implemented Sonicwall devices on had a peculiarity. Mac clients running Safari wouldn't load certain pages. Any other browser would be fine. Knowing that Safari links itself to frameworks in OS X that others do not, I thought I'd start there - particularly with lookupd. That was a dead end, though. So, I started some packet captures.

From there, I could see the requests and responses (SYN, ACK, SYN/ACK) and then, the Sonicwall itself would drop the client conversation. What the heck was going on?

After a lot of poking around, I remembered that there's a 'hidden' settings page in Sonicwall devices. Simply go to http://your.ip.address/diag.html. Click on "Internal Settings" in the navigation menu. Then, please note the initial warning on the page:

"Internal Settings - to be used only at the direction of Technical Support

Warning: these settings are not documented and changing settings here could prevent proper operation of the SonicWALL. Only make such changes if instructed by SonicWALL technical support."

Seriously: don't go changing settings that you're unsure of. If you plan on forging ahead, you may want to have a dump of your config.

Scanning through the options here, I didn't see anything obvious - until I started using the tool-tip items for each choice. The " Enforce Host Tag Search for CFS" setting had this in the tool-tip:

"When CFS is enabled, the device performs additional processing and searches the host tags in HTTP headers. At times, HTTP requests may be spread across several packets with the host tag appearing in a later packet. The host tag search algorithm can encounter a problem if this happens unless this checkbox is disabled. This checkbox should be turned off if the following message in the log is seen: HTTP method detected. Examine stream for host header."

Sonicwall Diag

Figure 1 - Advanced setting that makes life better for Safari.

Now, I never did receive that message in the log, but this made sense. Going back and looking at the packet trace, I could see that Safari tended to split up long URLs across packets where other browsers do not, which makes the Sonicwall CFS engine flip out. Here's the bizarre thing: I never use CFS! It's a separate license, and it's not enabled on any Sonicwall I touch. None-the-less, the CFS engine seems to always be engaged.

This is confirmed on SonicOS Enhanced 4.0.0.1-49e, and noted missing on SonicOS 2.x, so, your results may vary.

Strangely, I found nothing about this in any of my searches, even though people - other tech types - have asked me about it. Hope this helps someone out there!

6 Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Thank you!!!

On October 17th, 2007 Nate says:

Thank you!!!! I have been pulling my hair out for weeks trying to solve this one. I've done packet captures, replaced switches and base stations and more.

If you are ever in Vancouver, Washington I owe you a beer.

My Pleasure

On October 17th, 2007 Edward Marczak says:

Nate;

My pleasure, and I'm glad it helped.

Thank You so much for this

On November 16th, 2007 rossk says:

Thank You so much for this post. We upgraded our sonicwall and Safari just started to hang on webpages. This worked wonders!!!
Thanks Again

You are beyond great. Your

On March 14th, 2008 nsmarler says:

You are beyond great. Your post pointed us in the right direction--the most recent iteration of the SonicWall Enhanced OS that we have does not have the "Enforce Host Tag Search for CFS" checkbox on the /diag.html page, but the same option is presented in the normal admin console by going to the "Network" area and selecting "Zones," then clicking the config (pencil/paper icon) next to the LAN and WAN interfaces, and unchecking the "Enforce content filtering service" checkbox and committing changes. The end result is the same, and Safari users will love you (and will love YOU by extension ;-) ).

Thanks so much. This fixed a

On September 7th, 2008 mccomb says:

Thanks so much. This fixed a different problem for me. I have several Linux servers behind the firewall and the PHP scripts on those servers were not able to pull in from external URLs. I was getting the error:

DOMDocument::load [domdocument.load]: failed to open stream: HTTP request failed!

Once I changed the SonicWall settings, all my scripts worked. Thought I would post this for anyone else looking for a possible solution.

Thank you so very very much

On November 11th, 2008 SMason says:

Thank you so very very much !! Ever since we installed the Sonicwall TZ190W in our 95% Mac office everyone was disgusted that we could no longer surf NYTimes.com, CNN.com, ESPN.com, or login to AOL Webmail...... this has been going on for about two months, and I finally found your article last night, went in to the setting... and like MAGIC...... EVERYTHING was fixed.
We spent two hours on the helpline with Sonicwall with NO success whatsoever !!! They really need to be aware of this huge problem. Our Mac Specialist recommended this particular firewall but ever since it was installed the whole office had to migrate to Firefox becuase they werent able to surf normally, the browser would just die..... Does Apple know about this problem ? Ug..... well anyway thank you !!!

Keywords: Apple, Safari, Leopard, Sonicwall, TZ190W, CNN, NYTimes, ESPN