We have a demand to allow skype for internal employees. However, we've created a security rule to allow the following applications:
Still skype couldn't connect with an error message "please check your internet connection and try again".
So I've added *.skype.com/* in the URL filteration > still doesn't work
Also I tried to user web-browsing instead of ssl > still doesn't work
and finally I've added both ssl & web-browsing > still doesn't work
When I checked the traffic log I found the following:
Session end reason: tcp-rst-from-client & tcp-fin & n/a
Does anyone know exactly whats going on here?
Solved! Go to Solution.
Thanks for the help guys. I did the allow all rule with one source and when Skype didnt work we realised its not FW issue. However, we pluged the machine directly with the router towards the internet and it didn't work also, then we change the DNS to public on (220.127.116.11) and everything was working perfectly. They have an issue with their DNS server.
What rule is the traffic actually hitting as it stands, and where is the allow rule in corelation within your lists of security policies? It sounds like you are hitting a pretty strict deny rule, as if this was a consumer version of Skype then it will fall back to port 80/443.
Traffic is hitting the same rule created for Skype as mentioned in traffic log. The rule I've created is located in the top of the policies.
The weird thing is skype is not even allowing me to enter a username and password, the front page of skype never displayed, it will just start loading then "check your internet connection" will pops up.
Can you please check if you have denied unknown-udp sessions dropped on high UDP ports towards Microsoft public IP addresses?
I have found a situation where skype and skype-probe is allowed with application rule, TCP 443 is allowed as service (in seperate rule ofc) and Skype still isn't working. I've noticed connection towards Microsoft IP addresses on high UDP ports 'recognised' as unknown-udp and of course dropped. Skype should be working without having to allow unknown-udp session.
Anyone else has similar problems with Skype?
I've already thought about adding unknown-udp to the policy and infomred the client to made the changes. Waiting his reply now.
Aaaaaand its still not working. Even when we added the unknown-udp to the policy.
In the traffic log I noticed when the type is "end" the session end reason is either "tcp-rst-from-client" or "tcp-fin" but when the type is start the session end reason is always n/a.
I would test with a single source IP address allocated an 'any any' rule without any blocks in place and see if you still recieve the error. That would at the very least tell you if it's actually a rule issue. If that works I would request a config export since it seems like you are working with someone offsite and don't have direct access to the equipment.
I've created "any to any" policy where the source address is the engineer's laptop, then added skype, skype-probe and unkown-udb to the list of applications and committed the changes. This time I got a warning that to enable skype I must add msn-base, ssl and web-browsing. I committed without adding those then tried but failed, then I added apps in warning but still doesn't work. When I checked the logs again I got on start session n/a as session end reason and on end session tcp-rst-from-client & tcp-fin as session end reasons.
Any idea on whats going on guys?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!