Skip to content
English
Sign in
Go to securedynamics.net
  • There are no suggestions because the search field is empty.

Troubleshooting slow browsing issues with Google services/YouTube with ZIA

Overview:

Users might face slow browsing issues with google services with Zscaler Client connector in place.

The issue arises from the QUIC protocol used in Google Chrome and other Chromium-based browsers. QUIC is a UDP-based protocol and does not require traditional TCP handshakes. However, SSL inspection relies on TCP information, which prevents Zscaler from examining QUIC sessions when SSL inspection is enabled. As a result, users may encounter certificate errors while using QUIC. Zscaler's recommendation is to block QUIC protocol which enables SSL inspection to examine the traffic without impacting user experience.


Troubleshooting Steps:


Step1: Block QUIC protocol in Firewall Filtering Rule


Question: There might be a question why to set Block/RESET in Network traffic instead of Block/Drop?

Answer: When blocking QUIC protocol in Zscaler, the recommendation to use Block/Reset (instead of just Block/Drop). Here’s why:

1. Nature of QUIC

  • QUIC runs over UDP (port 443) instead of TCP.

  • Applications like Chrome, YouTube, and many Google services try QUIC first before falling back to HTTPS over TCP.

  • If QUIC packets are simply dropped (Block/Drop), the client waits for a timeout before retrying over TCP. This creates latency and user experience issues.

2. Why Reset Helps

  • Block/Reset sends an immediate rejection (ICMP unreachable or TCP reset equivalent) back to the client.

  • This makes the application instantly switch to TCP 443, avoiding the timeout period.

  • The user experiences a seamless fallback to TLS over TCP, with no unnecessary delays.

3. Impact on End User Experience

  • With Block/Drop:
    • Pages may load slowly.

    • Video playback may stall before reconnecting.

    • Some apps may fail entirely if they don’t retry gracefully.

  • With Block/Reset:
    • Immediate failover to HTTPS/TCP.

    • Smooth browsing and streaming.

4. Zscaler’s Best Practice

Zscaler recommends Block/Reset because their goal is not just to block QUIC, but also to ensure that traffic falls back to a protocol (HTTPS/TCP) that can be inspected and secured—without degrading user performance.

If the step1 does not resolve the issue continue with step2 as below

 

Step2: Disable QUIC on Chrome or Edge at browser level

Using Chrome Flags 

  • Open Chrome.

In the address bar, type:

chrome://flags/#enable-quic

  • Find the setting Experimental QUIC protocol.

  • Change it from Default/EnabledDisabled.

  • Restart Chrome.

Disable QUIC in Microsoft Edge

(Since Edge is Chromium-based, the process is very similar.)

  • Open Edge.

In the address bar, type:

edge://flags/#enable-quic

  • Locate Experimental QUIC protocol.

  • Change it from Default/EnabledDisabled.

  • Restart Edge.

Check if this resolves the issue for the user, and if it does, use the MDM solution to push it to multiple users.

Conclusion

Blocking QUIC with Block/Reset in Zscaler ensures immediate fallback to HTTPS/TCP, eliminating delays. Disabling QUIC at the browser level (Chrome/Edge) further guarantees all traffic is inspected.

This approach ensures security, visibility, and a smooth user experience across the enterprise.