Performance issues when Webex traffic is sent via TCP through the WSS

1.)  Degraded or poor user experience, specific to audio/video quality.

2.)  Webex Audio and Video statistics indicate various amounts of packet loss/latency (~10%)

Cisco Webex Meetings - Using TCP as the primary protocol for connecting to meetings. 

Web Security Service - Any Access Method

This would be the expected behavior when using TCP as the primary protocol for connecting to Webex meetings, when sending that traffic through the WSS.

See this Cisco documentation on network configurations for Webex:  Network-Requirements-for-Cisco-Webex

Note from Cisco:

Special note: UDP is recommended vs. TCP when configuring your media ports. The client will perform a test to attempt connection on UDP 9000. If this port is closed, the connection will fail back to TCP. Please ensure that UDP 9000 is open outbound and return traffic is allowed back inbound. The connection is always initiated outbound from the Webex client to the Webex Server.

Using TCP in a near congested network will cause retransmissions, which in turn can create a choppy video or low bandwidth error experience. UDP does not retransmit, and will provide a better video experience

UDP is the recommended protocol for anything voice or video related.  If this is not possible, it is important that the traffic arrive at the server with as little overhead as possible.

With TCP Packets from Webex being encrypted/decrypted by the client and destination server (TLS), encapsulating those packets and sending through an encrypted tunnel (IPSEC) to the WSS Proxy, would maintain a large amount of overhead, relative to live video/audio connections.  This should be adjusted to either:

A.)  Add a bypass on the FW or PAC File to ensure TCP Webex traffic is not sent through the WSS.

B.)  If using IPSEC or Unified Agent to connect to the WSS, ensure UDP port 9000 is open on the Firewall, to allow Webex to determine UDP is suitable.  This traffic would be sent through the WSS proxy with very little overhead, and is the best option if bypassing the WSS for this traffic is not an option.

Note:  UDP is not effectively proxied by the WSS and as a result, the traffic would likely fail if sending explicitly.  Transparently, UDP traffic would be accommodated by the WSS, though inspection and/or authentication would be limited.