I've some problems with skype instant messaging.
Sometimes the messages are not sent.
Checking firewall logs I see when messages are not sent an 'unknown-tcp' connection is denied.
Same destination port (but different ip) were used and recognized before as 'skype' connection
|Time||App||From||Src Port Source|
|Rule||Action||To||Dst Port Destination|
|Src User||Dst User|
|2012/11/06 11:19:26 skype||Zone1 52682||192.168.xxx.xxx|
|2012/11/06 11:19:56 unknown-tcp||Zone1 49727||192.168.xxx.xxx|
|blocca_navigazione deny||Zone2 12350||188.8.131.52|
It seems that PAN-OS was not able to identify correctly the connection.
For security reasons I cannot open 'unknown-tcp' connection.
Application and threat: 336-1565 2012-10-30
What SkyPe version You are using? Is it default or edited version? Did You test messages, voice, and video? Did You test between internal <> external or between internal <>internal users. What PAN os?
I also see, that wiyh such rules, like Yours, sometimes all works. One call gets true, next to same person fails. But as I have almost 10 000 users, then every call which fails, is a big issue.
We're having pretty much the same problem and are looking for ways around the PA firewall. There are registry entries that can be set for Skype to use a proxy server. These settings can be applied trough GPO. There are only two issues:
- Notebooks...when they are outside the company network (with no active VPN tunnel) the internal proxy wouldn't be found and Skype could not connect.
- If using a SOCKS proxy the password would be transmitted in clear-txt over the network. If using HTTP connect proxy, Skype only supports Basic Authentication (no Digest!) with is more or less the same as Clear-txt...
Probably someone has an idea how to fix the first or even the 2nd issue as a workaround...?
At this point I'm 100% sure that the problem is in PAN skype-probe and skype app detection logic.
See the logs. If skype-probe app once detects traffic for some ip as skype-probe, the how is possible that next detection is as unknown-udp.
And how it takes 30 minutes ta match unknow-tcp as skype?
Same destination IP, close destination port range. It's a huge bug.
We need skype app update ASAP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!