Re: SSL/TLS connection issue

Dave · ‎2020-01-07

We have Skype for Business implemented but are facing an issue.

Skype client needs to contact specific server to get some sort of webticket for getting authenticated and receiving a certificate from the Skype server.

Connection to this Skype server is having an issue, to be more specific, we get to the point where the encrypted handshake message has been received ... but then de connection is terminated.
Same process repeats couple of times but without success, then the Skype fallback procedure kicks but this results in users having to wait like 3-4 minutes until Skype has been connected.

Basic connectivity towards Skype server seems ok, since we get the connection going.

We've been extensively troubleshooting this together with provider in charge of supplying us Skype services, but cannot get around this issue and we're out of options.

We don't do HTTPS inspection and have policy rule allowing traffic for addresses we need to reach and for HTTP and HTTPS services.

What could possibly going wrong or how can we troubleshoot further?

PhoneBoy · ‎2020-01-07

What version/jumbo hotfix level is the management/gateway?
What precise rules have you created for this traffic?
What are you seeing in the logs around the time this traffic is being initiated?
What precise troubleshooting steps have you taken to date with the results?

Dave · ‎2020-01-07

HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87 is installed on FWs (ClusterXL) and MGMT

Access control rule in the Firewall policy has been created, where source is the VLAN where our workstation live in destination remote network, Services & Applications allowed are HTTP/HTTPS with action Accept.

Logs show me the traffic has been accepted.

Troubleshooting:
------------------

- fw ctl zdebug + drop does not show any traffic related to or from this destination network has been dropped.

- for testing, remote server had been temporary allowed to be pinged to test basic connectivity -> OK

- verified if any asymmetric routing -> identified at provider side and solved - routing ok

- Fiddler trace taken and investigated by remote party -> identified Skype client keeps trying to get data from Skype server but is not able

- Skype client logs investigated by remote party

Timothy_Hall · ‎2020-01-08

I know this probably isn't what you want to hear, but upgrade to R80.30 with the latest GA Jumbo HFA. Massive improvements in HTTPS/TLS Inspection in the realms of functionality and performance.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Chris_Atkinson · ‎2020-01-08

Are you using the in-built HTTP/HTTPS service objects for the Skype rules or have you cloned and modified them?

CCSM R77/R80/ELITE

Dave · ‎2020-01-08

Yes, built-in HTTP/HTTPS service objects, nothing cloned or changed on that.

Dave · ‎2020-01-08

Massive improvements, even if we don't do any HTTPS inspection?

Timothy_Hall · ‎2020-01-09

Your question was about HTTPS/TLS inspection, and the changes specifically related to this feature in R80.30 are very positive and my customers have been very happy with them. R80.30 was a very good release out of the gate in my opinion, R80.20 needed a bit more updates via Jumbo HFA due to all the new features such as SecureXL being reworked.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Are you a member of CheckMates?

SSL/TLS connection issue