It seems to me that in order to have skype working correctly - particually with multi-site PA's with Site2Site VPN tunnels in between - it is nessesarely to enable both unknown-tcp & unknown-udp.
At least - all our connection problems / delivery delays seems to go away whit the above allowed.
But obviously - allowing "unknown" traffic thru your firewall is not the most obvious solution......
A more soft solution could be if it's possible to define a private application/service where:
if client is connected to skype with src.port = x
allow unknown-tcp and unknown-udp where src.port = x
Does anyone know if this is possible somehow