QUIC protocol

Forum|Forum|7 years ago
June 20, 2018
2 replies
21425 views

Hello, we have a large amount of Google Chrome users. I am starting to hear the odd complaint about slow connections to some sites on the internet. As a test I disabled the QUIC protocol (UDP 443) in the web browsers at one site, and the complaints stopped. In addition we also block QUIC on our firewall.

So it would seem that browsers were failing to communicate via QUIC and then either stalling or taking too long to revert to TCP 443.

Are any other of you network engineers seeing the same sort of problem ? - I was considering disabling QUIC in all Chrome browsers company-wide.

emnoc

New Member

monitor the chome:net-internals for QUIC but no I never heard of this. Also did you monitor the firewall policy and service object?

Do you have any TLS inspection going ? ( iirc fortiOS still can't inspect DTLS )

http://socpuppet.blogspot.com/2016/10/how-to-force-quic-connections-with.html

BTW: I do not know of one firewall vendor that can decrpyt quic

DLGmail

New Member

Hi,

What you may have encountered is excesive traffic on your network.

As far as I know FortiGates cannot perform SSL inspection when traffic uses Quic.

By blocking Quic, Google Chrome does fail over to HTTP/HTTPS which can be inspected and blocked.

cacsci

Visitor III

Went through a couple weeks of trying different debug/troubleshooting steps to figure this out with support. Turns out QUIC was triggering UDP Flood DoS policies. When we changed the disabled the UDP Flood DoS setting or adjusted the rate limit to much higher levels (2000 default -> 50000) then we had normal throughput again with QUIC enabled.

Test it with the UDP Flood DoS policy disabled and if it works then turn it back on and adjust the final rate limit accordingly.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded