Safari and Sonicwall

Recently, some networks that I've implemented Sonicwall devices on had a peculiarity. Mac clients running Safari wouldn't load certain pages. Any other browser would be fine. Knowing that Safari links itself to frameworks in OS X that others do not, I thought I'd start there - particularly with lookupd. That was a dead end, though. So, I started some packet captures.

From there, I could see the requests and responses (SYN, ACK, SYN/ACK) and then, the Sonicwall itself would drop the client conversation. What the heck was going on?

After a lot of poking around, I remembered that there's a 'hidden' settings page in Sonicwall devices. Simply go to http://your.ip.address/diag.html. Click on "Internal Settings" in the navigation menu. Then, please note the initial warning on the page:

"Internal Settings - to be used only at the direction of Technical Support

Warning: these settings are not documented and changing settings here could prevent proper operation of the SonicWALL. Only make such changes if instructed by SonicWALL technical support."

Seriously: don't go changing settings that you're unsure of. If you plan on forging ahead, you may want to have a dump of your config.

Scanning through the options here, I didn't see anything obvious - until I started using the tool-tip items for each choice. The " Enforce Host Tag Search for CFS" setting had this in the tool-tip:

"When CFS is enabled, the device performs additional processing and searches the host tags in HTTP headers. At times, HTTP requests may be spread across several packets with the host tag appearing in a later packet. The host tag search algorithm can encounter a problem if this happens unless this checkbox is disabled. This checkbox should be turned off if the following message in the log is seen: HTTP method detected. Examine stream for host header."

Sonicwall Diag

Figure 1 - Advanced setting that makes life better for Safari.

Now, I never did receive that message in the log, but this made sense. Going back and looking at the packet trace, I could see that Safari tended to split up long URLs across packets where other browsers do not, which makes the Sonicwall CFS engine flip out. Here's the bizarre thing: I never use CFS! It's a separate license, and it's not enabled on any Sonicwall I touch. None-the-less, the CFS engine seems to always be engaged.

This is confirmed on SonicOS Enhanced 4.0.0.1-49e, and noted missing on SonicOS 2.x, so, your results may vary.

Strangely, I found nothing about this in any of my searches, even though people - other tech types - have asked me about it. Hope this helps someone out there!

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Thank you!!!

Thank you!!!! I have been pulling my hair out for weeks trying to solve this one. I've done packet captures, replaced switches and base stations and more.

If you are ever in Vancouver, Washington I owe you a beer.

My Pleasure

Nate;

My pleasure, and I'm glad it helped.

Thank You so much for this

Thank You so much for this post. We upgraded our sonicwall and Safari just started to hang on webpages. This worked wonders!!!
Thanks Again

You are beyond great. Your

You are beyond great. Your post pointed us in the right direction--the most recent iteration of the SonicWall Enhanced OS that we have does not have the "Enforce Host Tag Search for CFS" checkbox on the /diag.html page, but the same option is presented in the normal admin console by going to the "Network" area and selecting "Zones," then clicking the config (pencil/paper icon) next to the LAN and WAN interfaces, and unchecking the "Enforce content filtering service" checkbox and committing changes. The end result is the same, and Safari users will love you (and will love YOU by extension ;-) ).

Thanks so much. This fixed a

Thanks so much. This fixed a different problem for me. I have several Linux servers behind the firewall and the PHP scripts on those servers were not able to pull in from external URLs. I was getting the error:

DOMDocument::load [domdocument.load]: failed to open stream: HTTP request failed!

Once I changed the SonicWall settings, all my scripts worked. Thought I would post this for anyone else looking for a possible solution.

Thank you so very very much

Thank you so very very much !! Ever since we installed the Sonicwall TZ190W in our 95% Mac office everyone was disgusted that we could no longer surf NYTimes.com, CNN.com, ESPN.com, or login to AOL Webmail...... this has been going on for about two months, and I finally found your article last night, went in to the setting... and like MAGIC...... EVERYTHING was fixed.
We spent two hours on the helpline with Sonicwall with NO success whatsoever !!! They really need to be aware of this huge problem. Our Mac Specialist recommended this particular firewall but ever since it was installed the whole office had to migrate to Firefox becuase they werent able to surf normally, the browser would just die..... Does Apple know about this problem ? Ug..... well anyway thank you !!!

Keywords: Apple, Safari, Leopard, Sonicwall, TZ190W, CNN, NYTimes, ESPN

Our Macs Thank You! I

Our Macs Thank You!

I noticed a perceived slow-down issue on our macs just after upgrading our sonicwall. You could see both firefox and safari unable to load certain files form certain domains. Our admin came across this post and voilĂ  it worked immediately.

Safari handled the problem the worst, often times completely stalling or unable to reach domains.

Anyhow, thanks for posting this, I hope others come across it if they're having trouble as well.

Simply...eureka! I have been

Simply...eureka!

I have been hassling with this sudden and practically inexplicable behavior since the year started, not being able to suss out exactly what part of the connection logic or path might be blamed for stalling or breaking every one of my K-8 users at a small parochial school. I had just convinced the principal to score a SW NSA 240 to replace the Pro 230 that had been end-of-lifed some years back (while SW would continue to sell us a content filter sub with absolutely NO support express or implied, the cost of doing that compared with the 'new' little 240's bundle price made it easy to make a case for the upgrade). But I had also done the biz-as-usual Safari 3.2.1 update that appeared about the same time, so when users' immediate, widespread reports of certain (mostly portal: Yahoo, AOL, Hotmail, etc.) URLs becoming suddenly unavailable, the config of the new router became the prime suspect. At least to the one or two tech-savvy end users.

But what let the new firewall off the hook at that moment and made it look like a classic red herring was the immediate discovery that Firefox would have no problem loading the same sites on the same machine. How could/would a firewall discriminate vis a via a host's web browser in such a definite, absolute manner?

Well, it looks like you found and provide the answer here, Ed. I'm not crazy after all. Nor are the suspicious users who I pooh-poohed regarding the SonicWall. I'm off to check the "hidden" settings you reference above.

Thanks,
Bob Gore

Well, glad it helped. It's

Well, glad it helped. It's not that the SonicWall is discriminating against Safari per se...it's just that Safari splits the requests across packets differently than, well, anything else!

I was glad to find a fix, too, as I really like SonicWall devices otherwise.

Many thanks! I think your

Many thanks! I think your solution has (fingers crossed) fixed the issue for us. FYI for other folks I am running a SonicWall NSA 3500 Series device with the latest firmware (SonicOS Enhanced 5.2.0.1-21o). Our Mac users are all on Mac OS X 10.5.6, using both the up-to-date Safari 3 and a couple users of the new Safari 4 beta, both of which were having browsing problems until the fix recommended here. Thanks for taking the time to write this up. Blessings, j.

Edward, Many...many...many

Edward,

Many...many...many THANKS!

We recently upgraded to a new SonicWall 5060 and ran into this issue.
You saved me a ton of trouble!

My friend, I owe you some margaritas!

No, really! Send me your email and I'll paypal you some cash.

Thanks a lot....

-Efren