Troubleshooting YouTube Caching Issue With CachePulse on ProxySG or Advanced Secure Gateway

book

Article ID: 169407

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

In previous releases, a special policy had to be installed to force YouTube videos to be cached. SGOS 6.5.x or later enables the CachePulse feature to cache YouTube videos without the need to install the policy manually.

In some cases, however, the ProxySG or Advanced Secure Gateway appliance still does not cache YouTube videos, even though the enabled CachePulse database is up to date. This article details how to troubleshoot this issue.

Resolution

Prerequisites:

1. A valid license for CachePulse with the latest update downloaded
2. An SSL interception policy to intercept YouTube traffic
3. The following policy in order to prevent an unsupported_encoding error users browse to https://www.youtube.com using Firefox or Chrome (IE is not affected):
 

define action ForceUncompressedResponse 
delete(request.header.Accept-Encoding) 
end 
 
url.domain=youtube.com action.ForceUncompressedResponse(yes) 


The following article goes into more details about the above policy: Users see Content Transformation Error Exception when browsing YouTube

If all of the above steps have been applied to configuration, YouTube video access should be cached. If the issue persists, take the following steps to further troubleshoot the issue:

  1. Make sure that the YouTube traffic is being SSL intercepted in the policy by verifying the issuer of the website certificate where the certificate issuer comes from the ProxySG and not the website itself.
  2. Create an access log to just log YouTube video traffic, then apply it in the policy. Below is an example:

client.address=10.10.10.10 url.domain=//googlevideo.com/ access_log[DiagAL](yes)
client.address=10.10.10.10 url.regex=".*playback.*"      access_log[DiagAL](yes)

Where "DiagAL" is the new access log created for this. The format could be the same as the 'main' format that used 'ELFF' type.


Example of the access logs:

2017-04-13 04:13:52 5 10.10.10.10 200 TCP_HIT 91429 1071 GET https r3---sn-onfxq0-ntqe.googlevideo.com 443 /videoplayback ...

Note the cache hit codes like the one above - "TCP_HIT".

  • TCP_MISS - Object not found in cache, downloaded from the OCS.
  • TCP_HIT - Object found in cache.
  • TCP_NC_MISS - The request was made for an object that can't be cached.
  • TCP_REFRESH_MISS - Appliance had the object in cache, but a check with the OCS (GET with the If-modified-since) indicated that the object was stale. Object was downloaded from the OCS and the new object was placed in cache.
  1. View the ProxySG's Active Sessions table on the Statistics tab to further verify this.
  2. Another useful piece of troubleshooting information is a policy trace. See Use policy tracing to debug access denied errors or website accessibility issues to learn more about policy tracing. The goal should be to make sure that there is no rule to bypass caching or SSL interception being matched on requests to YouTube.