topic Re: Skype is not working with allow rule in General Topics

Skype is not working with allow rule

MohamedSharief — Mon, 03 Oct 2016 10:25:33 GMT

Hi,

We have a demand to allow skype for internal employees. However, we've created a security rule to allow the following applications:

-skype

-skype-probe

-ssl/web-browsing

Still skype couldn't connect with an error message "please check your internet connection and try again".

So I've added *.skype.com/* in the URL filteration > still doesn't work

Also I tried to user web-browsing instead of ssl > still doesn't work

and finally I've added both ssl & web-browsing > still doesn't work

When I checked the traffic log I found the following:

Session end reason: tcp-rst-from-client & tcp-fin & n/a

Does anyone know exactly whats going on here?

Re: Skype is not working with allow rule

MohamedSharief — Mon, 03 Oct 2016 11:07:23 GMT

1- Appliance Model: PA-500

2- PAN-OS version: 7.1.3

3- Applications Version: 599-3443

Re: Skype is not working with allow rule

BPry — Mon, 03 Oct 2016 13:06:27 GMT

What rule is the traffic actually hitting as it stands, and where is the allow rule in corelation within your lists of security policies? It sounds like you are hitting a pretty strict deny rule, as if this was a consumer version of Skype then it will fall back to port 80/443.

Re: Skype is not working with allow rule

MohamedSharief — Mon, 03 Oct 2016 13:26:15 GMT

Traffic is hitting the same rule created for Skype as mentioned in traffic log. The rule I've created is located in the top of the policies.

The weird thing is skype is not even allowing me to enter a username and password, the front page of skype never displayed, it will just start loading then "check your internet connection" will pops up.

Re: Skype is not working with allow rule

santonic — Mon, 03 Oct 2016 13:51:30 GMT

Can you please check if you have denied unknown-udp sessions dropped on high UDP ports towards Microsoft public IP addresses?

I have found a situation where skype and skype-probe is allowed with application rule, TCP 443 is allowed as service (in seperate rule ofc) and Skype still isn't working. I've noticed connection towards Microsoft IP addresses on high UDP ports 'recognised' as unknown-udp and of course dropped. Skype should be working without having to allow unknown-udp session.

Anyone else has similar problems with Skype?

Re: Skype is not working with allow rule

MohamedSharief — Mon, 03 Oct 2016 13:56:46 GMT

I've already thought about adding unknown-udp to the policy and infomred the client to made the changes. Waiting his reply now.

Re: Skype is not working with allow rule

MohamedSharief — Mon, 03 Oct 2016 14:13:17 GMT

Aaaaaand its still not working. Even when we added the unknown-udp to the policy.

In the traffic log I noticed when the type is "end" the session end reason is either "tcp-rst-from-client" or "tcp-fin" but when the type is start the session end reason is always n/a.

Re: Skype is not working with allow rule

BPry — Mon, 03 Oct 2016 15:59:33 GMT

I would test with a single source IP address allocated an 'any any' rule without any blocks in place and see if you still recieve the error. That would at the very least tell you if it's actually a rule issue. If that works I would request a config export since it seems like you are working with someone offsite and don't have direct access to the equipment.

Re: Skype is not working with allow rule

MohamedSharief — Mon, 03 Oct 2016 18:24:02 GMT

Great idea BPry. I'll make sure to implement that tomorrow. Thanks

Re: Skype is not working with allow rule

MohamedSharief — Tue, 04 Oct 2016 07:01:25 GMT

I've created "any to any" policy where the source address is the engineer's laptop, then added skype, skype-probe and unkown-udb to the list of applications and committed the changes. This time I got a warning that to enable skype I must add msn-base, ssl and web-browsing. I committed without adding those then tried but failed, then I added apps in warning but still doesn't work. When I checked the logs again I got on start session n/a as session end reason and on end session tcp-rst-from-client & tcp-fin as session end reasons.

Any idea on whats going on guys?

Re: Skype is not working with allow rule

LCMember1959 — Tue, 04 Oct 2016 09:50:47 GMT

Have you tried the same rule, but with Any/Any as application and service? If Skype still does not work then I would suspect that it might be a client problem.

Re: Skype is not working with allow rule

MohamedSharief — Tue, 04 Oct 2016 12:43:11 GMT

I will try that Terje.

When I added the policy "any any" today and commit the changes I got a warning that msn-base, ssl and web-browsing should be allowed as dependency apps also, but when I checked in https://applipedia.paloaltonetworks.com/ its not required. To double check this I shoot the command #show predefined application skype and those dependency apps were included. But again I've already tried and added them and still doesn't work.

Re: Skype is not working with allow rule

BPry — Tue, 04 Oct 2016 13:25:49 GMT

I guess what I meant as an 'any any' rule was that it would be any destination and any applicaiton. This placed above all other security rules will let you know if this is a firewall issue or a network issue. If you still can't get to Skype with a set source address, any destination, and any application set to allow then it would indicate that your firewall isn't at fault here; something in front of your firewall is to blame for the issue.

Re: Skype is not working with allow rule

RFalconer — Tue, 04 Oct 2016 16:53:06 GMT

Anything in the threat log that shows traffic being blocked?

Re: Skype is not working with allow rule

Indorama_Ventures — Wed, 05 Oct 2016 07:58:46 GMT

Is nothing working with Skype or just for example video conversation?

I had the problem lately that chat and audio were working but video wasn't.

It turned out I was missing the "Jabber" application in the allow rule.

Re: Skype is not working with allow rule

MohamedSharief — Wed, 05 Oct 2016 18:38:03 GMT

Thanks for the help guys. I did the allow all rule with one source and when Skype didnt work we realised its not FW issue. However, we pluged the machine directly with the router towards the internet and it didn't work also, then we change the DNS to public on (8.8.8.8) and everything was working perfectly. They have an issue with their DNS server.

Re: Skype is not working with allow rule

rkoenig — Fri, 13 Jan 2017 01:17:31 GMT

Nice job, we were experiencing the same issue. What made you decided to try external DNS servers? Is there a specific URL that is not being resolved?

Re: Skype is not working with allow rule

MohamedSharief — Tue, 24 Jan 2017 13:48:48 GMT

I believe that might be the reason but honestly I didn't try changing the DNS server on the testing machine till I ran out of all options on PA.

Regards,

Sharief

Re: Skype is not working with allow rule

SajidAliSajid — Wed, 08 Feb 2017 15:44:28 GMT

Facing same problem.

Skype in my Organization with these Destination and apps (need simple solution).

skype
skype-probe
office365-consumer-access
ssl
stun
web-browsing
websocket
ms-lync-base
ms-lync-audio
ms-lync-video
rtcp
rtp-base

unknown-udp

91.190.216.0/21
65.52.0.0/14
64.4.0.0/18
52.234.0.0/11
40.0.0.0/8
213.199.0.0/16
157.56.0.0/14
13.107.0.0/16
111.221.0.0/17
104.40.0.0/13

Skype website:

To work correctly, Skype requires unrestricted outgoing TCP access to:

All destination ports above 1024 (recommended)
or
Ports 80 and 443

support.skype.com/en/faq/FA148/which-ports-need-to-be-open-to-use-skype-for-windows-desktop

Regards,

Sajid