Skype is not working with allow rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Skype is not working with allow rule

L4 Transporter

Hi,

 

We have a demand to allow skype for internal employees. However, we've created a security rule to allow the following applications:

 

-skype

-skype-probe

-ssl/web-browsing

 

Still skype couldn't connect with an error message "please check your internet connection and try again".

 

So I've added *.skype.com/* in the URL filteration > still doesn't work

Also I tried to user web-browsing instead of ssl > still doesn't work

and finally I've added both ssl & web-browsing > still doesn't work

 

When I checked the traffic log I found the following:

 

Session end reason: tcp-rst-from-client & tcp-fin & n/a

 

Does anyone know exactly whats going on here?

Regards,
Sharief
1 accepted solution

Accepted Solutions

Thanks for the help guys. I did the allow all rule with one source and when Skype didnt work we realised its not FW issue. However, we pluged the machine directly with the router towards the internet and it didn't work also, then we change the DNS to public on (8.8.8.8) and everything was working perfectly. They have an issue with their DNS server.

Regards,
Sharief

View solution in original post

18 REPLIES 18

L4 Transporter

1-      Appliance Model: PA-500

2-      PAN-OS version: 7.1.3

3-      Applications Version: 599-3443

Regards,
Sharief

What rule is the traffic actually hitting as it stands, and where is the allow rule in corelation within your lists of security policies? It sounds like you are hitting a pretty strict deny rule, as if this was a consumer version of Skype then it will fall back to port 80/443.  

Traffic is hitting the same rule created for Skype as mentioned in traffic log. The rule I've created is located in the top of the policies.

The weird thing is skype is not even allowing me to enter a username and password, the front page of skype never displayed, it will just start loading then "check your internet connection" will pops up.

Regards,
Sharief

Can you please check if you have denied unknown-udp sessions dropped on high UDP ports towards Microsoft public IP addresses?

 

I have found a situation where skype and skype-probe is allowed with application rule, TCP 443 is allowed as service (in seperate rule ofc) and Skype still isn't working. I've noticed connection towards Microsoft IP addresses on high UDP ports 'recognised' as unknown-udp and of course dropped. Skype should be working without having to allow unknown-udp session.

 

Anyone else has similar problems with Skype?

I've already thought about adding unknown-udp to the policy and infomred the client to made the changes. Waiting his reply now.

Regards,
Sharief

Aaaaaand its still not working. Even when we added the unknown-udp to the policy.

 

In the traffic log I noticed when the type is "end" the session end reason is either "tcp-rst-from-client" or "tcp-fin" but when the type is start the session end reason is always n/a.

Regards,
Sharief

I would test with a single source IP address allocated an 'any any' rule without any blocks in place and see if you still recieve the error. That would at the very least tell you if it's actually a rule issue. If that works I would request a config export since it seems like you are working with someone offsite and don't have direct access to the equipment. 

Great idea BPry. I'll make sure to implement that tomorrow. Thanks

Regards,
Sharief

I've created "any to any" policy where the source address is the engineer's laptop, then added skype, skype-probe and unkown-udb to the list of applications and committed the changes. This time I got a warning that to enable skype I must add msn-base, ssl and web-browsing. I committed without adding those then tried but failed, then I added apps in warning but still doesn't work. When I checked the logs again I got on start session n/a as session end reason and on end session tcp-rst-from-client & tcp-fin as session end reasons.

 

Any idea on whats going on guys?

Regards,
Sharief

Have you tried the same rule, but with Any/Any as application and service? If Skype still does not work then I would suspect that it might be a client problem.

I will try that Terje.

When I added the policy "any any" today and commit the changes I got a warning that msn-base, ssl and web-browsing should be allowed as dependency apps also, but when I checked in https://applipedia.paloaltonetworks.com/ its not required. To double check this I shoot the command #show predefined application skype and those dependency apps were included. But again I've already tried and added them and still doesn't work.

Regards,
Sharief

I guess what I meant as an 'any any' rule was that it would be any destination and any applicaiton. This placed above all other security rules will let you know if this is a firewall issue or a network issue. If you still can't get to Skype with a set source address, any destination, and any application set to allow then it would indicate that your firewall isn't at fault here; something in front of your firewall is to blame for the issue. 

Anything in the threat log that shows traffic being blocked?

Is nothing working with Skype or just for example video conversation?

I had the problem lately that chat and audio were working but video wasn't.

It turned out I was missing the "Jabber" application in the allow rule.

  • 1 accepted solution
  • 7342 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!