Slow downloads on smartphones connected over AP


we have a WiFi running for our smartphones mainly to update Android and apps. WiFi is offered through an AP55. Only smartphones can connect based on their MAC address. There is an own firewall rule for these connections with the following options active: HTTP scanning, block Google QUIC, detect zero day malware with Sandstorm, Scan FTP.

Unfortunately downloads are very slow. App updates take a long time and Android updates are canceled at a certain point by the smartphone itself.

As all updates are done over secure socket layer protocol and HTTPS scanning is not active I wonder what could be the reason. I checked the IP addresses that are used during update and always got to and so I excluded from HTTPS scanning, malware scanning and sandstorm. But also this showed no improvement on download speed.

Currently I wonder if the throughput of the AP55 is that slow?


Does anybody have any suggestions? Thanks.

  • In reply to Bjoern Ebner:

    It should be disabled. 


    TSO is stilled switched on for Seperate Zones Networks.

    Even when I create a new Seperate Zone TSO is switched off.


    You mean after create a new zone, it is on? 

  • In reply to LuCar Toni:

    on Sophos XG which is on version 17.5.5 the Wifi Seperate Zone Networks that already exist don't get TSO switched off.

    And even if a create a new Wifi Seperate Zone Network, TSO is still switched on

  • In reply to Bjoern Ebner:

    Just to wrap this up.


    If you experience Issues in the Separate Zone Connection Speed, please try following:


    Create a Bridge to AP (V)LAN to test the connection speed. If it is "much" faster, continue the next steps (just to validate the issue is connected to Separate Zone).

    Use the current Firmware. 

    (If possible), create a new Separate Zone Interface and connect a Client to Test the speed on this Interface / SSID. 

    Check the TOS Settings on the Separate Zone Interface. *Point1* 

    Check the DOS Protection on XG *Point2*




    Console>  system diagnostics interface-driver-settings set <interface_nameoffload tso off

    To show: Console> system diagnostics interface-driver-settings show <interface_nameoffload

    • tcp-segmentation-offload: off
      tx-tcp-segmentation: off
      tx-tcp-ecn-segmentation: off
      tx-tcp6-segmentation: off






    There should not be any UDP/TCP Drops, if the counter is >0, please check, if XG is not dropping anything. 




    There is a current Bug in V17.5 MR5-6 in Case of HA, that the TOS Settings is not "sync" to the other appliance, therefore the TOS Could be enabled after Firmware Update. So please Verify.