Slow downloads on smartphones connected over AP

Question

Hi, 
 we have a WiFi running for our smartphones mainly to update Android and apps. WiFi is offered through an AP55. Only smartphones can connect based on their MAC address. There is an own firewall rule for these connections with the following options active: HTTP scanning, block Google QUIC, detect zero day malware with Sandstorm, Scan FTP. 
 Unfortunately downloads are very slow. App updates take a long time and Android updates are canceled at a certain point by the smartphone itself. 
 As all updates are done over secure socket layer protocol and HTTPS scanning is not active I wonder what could be the reason. I checked the IP addresses that are used during update and always got to https://r3---sn-h0jeened.gvt1.com/ and https://r4---sn-h0jeened.gvt1.com/ so I excluded gvt1.com from HTTPS scanning, malware scanning and sandstorm. But also this showed no improvement on download speed. 
 Currently I wonder if the throughput of the AP55 is that slow? 
 
 Does anybody have any suggestions? Thanks.

FloSupport · Accepted Answer

Hi Mike Hinnenkamp 
 Apologies for the delayed response and for any inconvenience caused. 
 The permanent fix for this issue ( NC-40091 ) is scheduled to be included in the upcoming SFOS v17.5.4 MR-4 version, expected to be released in late March or early April.

LuCar Toni · Answer

Just to wrap this up. If you experience Issues in the Separate Zone Connection Speed, please try following: Create a Bridge to AP (V)LAN to test the connection speed. If it is "much" faster, continue the next steps (just to validate the issue is connected to Separate Zone). Use the current Firmware. (If possible), create a new Separate Zone Interface and connect a Client to Test the speed on this Interface / SSID. Check the TOS Settings on the Separate Zone Interface. *Point1* Check the DOS Protection on XG *Point2* Point1: Console> system diagnostics interface-driver-settings set < interface_name > offload tso off To show: Console> system diagnostics interface-driver-settings show < interface_name > offload tcp-segmentation-offload : off tx-tcp-segmentation: off tx-tcp-ecn-segmentation: off tx-tcp6-segmentation: off Point2: There should not be any UDP/TCP Drops, if the counter is >0, please check, if XG is not dropping anything. Point1.1 There is a current Bug in V17.5 MR5-6 in Case of HA, that the TOS Settings is not "sync" to the other appliance, therefore the TOS Could be enabled after Firmware Update. So please Verify.

SaschaParis · Answer

TBH I don't expect MTU to be the root cause of your slowness. Google Play and some other on Android often used services doesn't play well with AV scanning or MITM of the proxy. Especially AV scanning might create delays which can interrupt downloads and let them fail 
 
 I collected over time following list of UTL's, which I exculde from everything (HTTPS, Sandstorm and AV and Policy) in the web proxy 
 
 ^([A-Za-z0-9.-]*\.)?ytimg\.com\/ 
 ^([A-Za-z0-9.-]*\.)?gvt1\.com\/ 
 ^android\.clients\.google\.com\/ 
 ^play\.googleapis\.com\/ 
 ^([A-Za-z0-9.-]*\.)?googleapis\.com\/ 
 ^connectivitycheck\.gstatic\.com\/ 
 ^([A-Za-z0-9.-]*\.)?googleusercontent\.com\/ 
 ^([A-Za-z0-9.-]*\.)?ggpht\.com\/ 
 ^([A-Za-z0-9.-]*\.)?youtube\.com\/ 
 ^youtubei\.googleapis\.com\/ 
 
 works fine for me. As I also have Sophos AV (SMSEC) installed on my android phones, bypassing those sites from scanning will not hurt too much. If your phone is updating via mobile networks, you're also no better protected ;o) 
 
 /Sascha

dja · Answer

After many many many tests we now have a solution for us. Indeed the MTU is the key. MSS remains unchanged. We changed our MTU to 1400, now everything works fast. 
 Connect via SSH > 5. Device Management > 3. Advanced Shell: ifconfig <wifi_name> mtu 1400 
 This is only a non-persistent solution. Sophos Support will create a startup-script for us, so this value will be set on every appliance boot.

dja · Answer

Thanks to FloSupport we now have a solution that is probably boot- and update-safe: We have set MTU back to default and disabled TCP Segmentation Offloading. This achieves the same performance as custom MTU. Here is his guide: Console> system diagnostics interface-driver-settings set < interface_name > offload tso off To show: Console> system diagnostics interface-driver-settings show < interface_name > offload tcp-segmentation-offload : off tx-tcp-segmentation: off tx-tcp-ecn-segmentation: off tx-tcp6-segmentation: off To revert back, simply: Console> system diagnostics interface-driver-settings set < interface_name > offload tso on

LuCar Toni · Answer

As far as i know, Support found the reason and is already working on a Patch. Would expect it for next MR Release. 
 FloSupport can you track this?