Users on Windows and macOS platforms access internet sites via Cloud SWG using WSS Agents, after authenticating successfully with SAML Identity provider.

The WSS Agents are accessing various Cloud SWG POPs globally, almost all using UDP transport.

Since early January, a few users on macOS report messages indicating that UDP transport is blocked and they always use TCP. This happens across all Cloud SWG data centers, and from different networks.

Running reports of impacted users showed that impacted users were running on Tahoe macOS platform. users on earlier macOS versions do not report the issue.

WSS Agent version 9.8.4 or lower running on macOS.

Tahoe added support for post quantum cryptography which increased the size of the TLS client_hello header beyond 1500 bytes, causing fragmentation.

Cloud SWG uses the UDP/TCP port for persistence and any fragmented IP packets will cause this to break.

Outbound TCP sessions always set the DF (don't fragment) IP flag set to prevent fragmentation and always works.

Install WSS Agent 9.8.5 or greater.