Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Skype IM Problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Skype IM Problem

L3 Networker

Hi,

I've some problems with skype instant messaging.

Sometimes the messages are not sent.

Checking firewall logs I see when messages are not sent an 'unknown-tcp' connection is denied.

Same destination port (but different ip) were used and recognized before as 'skype' connection

For example

Time            App         From        Src Port   Source
Rule            Action      To          Dst Port   Destination
                Src User    Dst User

===============================================================================

2012/11/06 11:19:26 skype       Zone1      52682 192.168.xxx.xxx
Skype           allow       Zone212350 78.141.179.16
                user1

2012/11/06 11:19:56 unknown-tcp Zone1  49727 192.168.xxx.xxx
blocca_navigazione  deny        Zone2   12350 78.141.179.12
                user1

It seems that PAN-OS was not able to identify correctly the connection.

For security reasons I cannot open 'unknown-tcp' connection.

Any solutions?

Firewall PAN-500

OS: 4.1.7

Application and threat:  336-1565 2012-10-30

Thanks

Regards

40 REPLIES 40

Yes, using group policy supernode is disabled. And I have about thousand separated subnets, so this isn't an issue also:). The only issue right now is PaloAlto:(.

Again I tested this scenario in my LAB. I allow skype for one particular AD user and block it for the rest

policy.png

Only user A can connect

skype.png

What SkyPe version You are using? Is it default or edited version? Did You test messages, voice, and video? Did You test between internal <> external or between internal <>internal users. What PAN os?

I also see, that wiyh such rules, like Yours, sometimes all works. One call gets true, next to same person fails. But as I have almost 10 000 users, then every call which fails, is a big issue.

Skype 6.1.0.129, default. messaging and voice is working (of course only for user A). I cannot test video no webcam avail. Tested with external contact. PAN OS 5.0.2 latest updates as mentioned above.

Hmm, about Your rules, why are You:

a) first deny unknow-udp and unknow-tcp for any?

b) allow skype-probe for any?

As I can't find the reason keeping skype-probe and skype in two different rules? I'm usind skype-probe and skype in one rule and below allow rule is deny rule for all.

ksuuk schrieb:

Hmm, about Your rules, why are You:

a) first deny unknow-udp and unknow-tcp for any?

Because I followed your rule to not allow any unknown apps in the first place.

b) allow skype-probe for any?

In order to control skype you have to allow skype-probe and then deny skype.

By manual, Yes skype-probe must be allowed for all, but I found, that it's not so mandatory. I'm using skype-probe and skype in one rule all next one is deny all.

Up to you...

Yes.

But for me the main problem is that when clients are using skype, I see a lot unknow-tcp and unknow-udp packed, which are dropped. Allowing them makes skype working but kills the firewall.

We're having pretty much the same problem and are looking for ways around the PA firewall. There are registry entries that can be set for Skype to use a proxy server. These settings can be applied trough GPO. There are only two issues:

- Notebooks...when they are outside the company network (with no active VPN tunnel) the internal proxy wouldn't be found and Skype could not connect.

- If using a SOCKS proxy the password would be transmitted in clear-txt over the network. If using HTTP connect proxy, Skype only supports Basic Authentication (no Digest!) with is more or less the same as Clear-txt...

Probably someone has an idea how to fix the first or even the 2nd issue as a workaround...?

At this point I'm 100% sure that the problem is in PAN skype-probe and skype app detection logic.

See the logs. If skype-probe app once detects traffic for some ip as skype-probe, the how is possible that next detection is as unknown-udp.

And how it takes 30 minutes ta match unknow-tcp as skype?

Same destination IP, close destination port range. It's a huge bug.

We need skype app update ASAP.

sk2.jpgsk4.jpg

  • 15939 Views
  • 40 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!