search cancel

Users on a specific VLAN (Marketing) are unable to load videos from youtube.com

book

Article ID: 257274

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing Cloud SWG via VeloCloud IPSEC routers.

When users are on a specific Marketing VLAN (172.16.104.x) on internal network, they are unable to play youtube videos. They can browse to the website and click a video, but it just gets stuck with the spinning loading circle and gets no further.

Changing impacted users to a different VLAN internally, it starts working straight away. 

As a workaround we have routed this VLAN directly out to the internet bypassing WSS and this resolves the issue.

 

 

 

Environment

VeloCloud IPSEC routers.

Cloud SWG.

Cause

VeloCloud router had persistence disabled for traffic from this VLAN, causing the session data to be split across multiple IPSEC tunnels and different Cloud SWG endpoints.

Resolution

Enabled persistence from users on marketing VLAN, so that all traffic went into the one tunnel.

In case no option exists with IPSEC router to enable persistence, we would need to bypass googlevideo.com domain from going into Cloud SWG.

Additional Information

youtube.com domain does not appear to be failing, but the videoplayback domains (googlevideo.com) are. These are returning 421 errors, but the key is the Bandaid Misdirected Traffic Server HTTP header returned. This is coming from the back end server.

Every time it fails, we keep getting 421 status responses back. The following link referencing this status code (https://github.com/square/okhttp/issues/5424) pointed to session related issues and caused us to look at the IPSEC tunnel setup in more detail.

On the working VLAN, we can see that all traffic is going through one tunnel, and hence the egress IP addresses from WSS will be consistent.  On the non working VLAN, we could that the same users traffic was split across 3 different tunnels (visible with WSS tools, but also from the HTTP logs from the user that report both the location name and ID e.g.

 2023-01-05 10:13:19 "DP4-GGBLO1_proxysg3" 270322 172.16.104.6 "BCOM\Elway" "xxxx=" yyyy///FdCbe1FDiaC4IgLg= - - OBSERVED "Uncategorized" - 200 TCP_TUNNELED TUNNEL - tcp 34.117.217.74 443 / - - - 192.168.4.86 5619 781 - - - - - - - - 445750 "VeloCloud 01" firewall_fqdn_psk_vpn "-" "-" 34.117.217.74 "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 34.117.217.74 "United States" - "Invalid" 5 - - - - 172.16.104.6 - - - - - - - - - - - 2001:0DB8:6159:89fe:23b3:3bde:7e46:d32b a37baad03dc207af-00000000584dc3bc-0000000063b6a1b0 148.64.27.43 148.64.27.43 "GB" "United Kingdom" - - -

2023-01-05 10:13:21 "DP4-GGBLO1_proxysg3" 350869 172.16.104.6 "BCOM\Elway" "xxxx=" yyyy///FdCbe1FDiaC4IgLg= - - OBSERVED "Uncategorized" - 200 TCP_TUNNELED TUNNEL - tcp 34.117.217.74 443 / - - - 192.168.4.86 5620 792 - - - - - - - - 446106 "VeloCloud 03" firewall_fqdn_psk_vpn "-" "-" 34.117.217.74 "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 34.117.217.74 "United States" - "Invalid" 5 - - - - 172.16.104.6 - - - - - - - - - - - 2001:0DB8:6623:82c1:30db:ec52:7e46:d32b a37baad03dc207af-00000000584dba68-0000000063b6a19e 148.64.27.31 148.64.27.31 "GB" "United Kingdom" - - -

 

Attachments