browse
Overview
Umbrella customers who are using AnyConnect Secure Mobility Client + Secure Web Gateway (SWG) may need to disable the QUIC protocol within their Google Chrome (or other browser) settings to avoid issues with Google services such as search, GMail, or YouTube.
An example of an error loading a YouTube video is shown in the screenshot below.
Symptoms of QUIC problems
Google Chrome and other browsers attempt to use QUIC to connect to Google services. QUIC uses UDP as its transport layer protocol instead of TCP. The AnyConnect Secure Mobility Client does not support UDP-based requests, so QUIC-based web requests will not be sent to the SWG proxy. As a result, you may see symptoms such as:
- Google sites or other sites using QUIC may fail to load
-
SWG settings for these sites may not be applied, including
- Application Control
- Advanced Application Control (e.g. uploads)
- Policy enforcement
How to check if QUIC is enabled in Google Chrome
Depending on your browser and firewall configuration, your organization may be using the QUIC protocol without knowing it. The simplest check whether QUIC is enabled in Chrome is to use Chrome's Developer Tools.
- Open Chrome's Developer Tools (Menu > More tools > Developer tools, or Ctrl+Shift+I).
- In the Network tab, right click a column heading to include the Protocol column.
- Browse to a Google-owned website, such as https://www.google.com.
- Check for the entry http/2+quic/39 in the Protocol column. If this entry is present, then Google QUIC is enabled.
Disabling QUIC in Google Chrome
For more information on disabling QUIC on a managed device, see https://support.google.com/chrome/a/answer/7649838?hl=en. You can manually disable QUIC in Google Chrome using the Experimental QUIC protocol (#enable-quic) flag:
- In the address bar, type: chrome://flags#enable-quic
- Set the Experimental QUIC protocol flag to Disabled
- Relaunch Chrome for the setting to take effect.
The following Windows registry key (or Mac/Linux preference) can be used to disable QUIC in Chrome, and can be enforced via GPO or equivalent:
Windows registry location for Windows clients:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
Windows registry location for Google Chrome OS clients:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\ChromeOS
Windows value name (REG_DWORD):
QuicAllowed
Mac/Linux preference name (Boolean):
QuicAllowed
Description:
Values to disable QUIC:
Windows Decimal REG_DWORD:
0
Windows Hexadecimal REG_DWORD:
0x00000000
Linux:
false
Mac:
<false />
Windows Registry Example for Chrome Windows clients:
Blocking QUIC on your Firewall
You can also block QUIC protocol on the firewall – this will either be by blocking UDP 443 (via port) or blocking QUIC by application name (if the Firewall supports L7). In both cases, you will need to allow Umbrella-related IP addresses from your firewall rules to facilitate encrypted DNS: Secure Web Gateway's IP List and Domains to Allow in Customer Firewalls.
QUIC and other Web Browsers
Other web browsers also have the option to utilise QUIC protocol, whether this is enabled by default will vary between the browser and the version in use. More information on controlling QUIC in Firefox and Microsoft Edge can be found below:
- Firefox: This can be controlled with the network.http.http3.enabled config option by entering about:config into the URL bar, for example
- MS Edge: QUIC can be controlled via Group Policy