Digging further I see the firewall is doing a MiTM for SSL session decryption and application determination. The Syn, Syn/Ack, Ack completes successfully. But the firewall does not allow the Launcher to actually get responses from youtube.
If I modify the policy to send a TCP reset, back the client, once a policy decision is made, then the launcher does comes up quicker.
So the core issue appears to be the lack of a timeout on the youtube test; or that the youtube test is being done too early in the startup process. I would suggest a timeout of 500-2000 milliseconds.
Don't put an ip that will result in a failed connection. Try using an IP that will result in a blackhole'd connection. No ICMP destination unreachable, TCP reset etc.
Digging further I see the firewall is doing a MiTM for SSL session decryption and application determination. The Syn, Syn/Ack, Ack completes successfully. But the firewall does not allow the Launcher to actually get responses from youtube.
If I modify the policy to send a TCP reset, back the client, once a policy decision is made, then the launcher does comes up quicker.
So the core issue appears to be the lack of a timeout on the youtube test; or that the youtube test is being done too early in the startup process.
I would suggest a timeout of 500-2000 milliseconds.