Skype is not working with allow rule

Reply
Highlighted
L4 Transporter

Skype is not working with allow rule

Hi,

 

We have a demand to allow skype for internal employees. However, we've created a security rule to allow the following applications:

 

-skype

-skype-probe

-ssl/web-browsing

 

Still skype couldn't connect with an error message "please check your internet connection and try again".

 

So I've added *.skype.com/* in the URL filteration > still doesn't work

Also I tried to user web-browsing instead of ssl > still doesn't work

and finally I've added both ssl & web-browsing > still doesn't work

 

When I checked the traffic log I found the following:

 

Session end reason: tcp-rst-from-client & tcp-fin & n/a

 

Does anyone know exactly whats going on here?

Regards,
Sharief
Tags (2)

Accepted Solutions
Highlighted
L4 Transporter

Re: Skype is not working with allow rule

Thanks for the help guys. I did the allow all rule with one source and when Skype didnt work we realised its not FW issue. However, we pluged the machine directly with the router towards the internet and it didn't work also, then we change the DNS to public on (8.8.8.8) and everything was working perfectly. They have an issue with their DNS server.

Regards,
Sharief

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: Skype is not working with allow rule

1-      Appliance Model: PA-500

2-      PAN-OS version: 7.1.3

3-      Applications Version: 599-3443

Regards,
Sharief
Highlighted
Cyber Elite

Re: Skype is not working with allow rule

What rule is the traffic actually hitting as it stands, and where is the allow rule in corelation within your lists of security policies? It sounds like you are hitting a pretty strict deny rule, as if this was a consumer version of Skype then it will fall back to port 80/443.  

Highlighted
L4 Transporter

Re: Skype is not working with allow rule

Traffic is hitting the same rule created for Skype as mentioned in traffic log. The rule I've created is located in the top of the policies.

The weird thing is skype is not even allowing me to enter a username and password, the front page of skype never displayed, it will just start loading then "check your internet connection" will pops up.

Regards,
Sharief
Highlighted
L5 Sessionator

Re: Skype is not working with allow rule

Can you please check if you have denied unknown-udp sessions dropped on high UDP ports towards Microsoft public IP addresses?

 

I have found a situation where skype and skype-probe is allowed with application rule, TCP 443 is allowed as service (in seperate rule ofc) and Skype still isn't working. I've noticed connection towards Microsoft IP addresses on high UDP ports 'recognised' as unknown-udp and of course dropped. Skype should be working without having to allow unknown-udp session.

 

Anyone else has similar problems with Skype?

Highlighted
L4 Transporter

Re: Skype is not working with allow rule

I've already thought about adding unknown-udp to the policy and infomred the client to made the changes. Waiting his reply now.

Regards,
Sharief
Highlighted
L4 Transporter

Re: Skype is not working with allow rule

Aaaaaand its still not working. Even when we added the unknown-udp to the policy.

 

In the traffic log I noticed when the type is "end" the session end reason is either "tcp-rst-from-client" or "tcp-fin" but when the type is start the session end reason is always n/a.

Regards,
Sharief
Highlighted
Cyber Elite

Re: Skype is not working with allow rule

I would test with a single source IP address allocated an 'any any' rule without any blocks in place and see if you still recieve the error. That would at the very least tell you if it's actually a rule issue. If that works I would request a config export since it seems like you are working with someone offsite and don't have direct access to the equipment. 

Highlighted
L4 Transporter

Re: Skype is not working with allow rule

Great idea BPry. I'll make sure to implement that tomorrow. Thanks

Regards,
Sharief
Highlighted
L4 Transporter

Re: Skype is not working with allow rule

I've created "any to any" policy where the source address is the engineer's laptop, then added skype, skype-probe and unkown-udb to the list of applications and committed the changes. This time I got a warning that to enable skype I must add msn-base, ssl and web-browsing. I committed without adding those then tried but failed, then I added apps in warning but still doesn't work. When I checked the logs again I got on start session n/a as session end reason and on end session tcp-rst-from-client & tcp-fin as session end reasons.

 

Any idea on whats going on guys?

Regards,
Sharief
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!