Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dilmurat_Zakiro
Participant

Skype does not work via Checkpoint proxy server

Hello guys, can you help me. i use my checkpoint as a corporate non-transparent http/https proxy server. and my users cannot use Skype application via this proxy server. i allowed "All recognized" access for skype user. but skype still does not work. 

configuration on firewall:

configuration on application control/url filtering  policy:

when we try to run skype i've got some debug results:

[Expert@CP-SG1:0]# fw ctl zdebug drop |grep 10.0.1.194
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 10.0.1.194:55980 -> 10.30.12.212:8080 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 10.0.1.194:55980 -> 10.30.12.212:8080 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 10.0.1.194:55980 -> 10.30.12.212:8080 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 10.0.1.194:55980 -> 10.30.12.212:8080 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 10.0.1.194:55980 -> 10.30.12.212:8080 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 10.0.1.194:55980 -> 10.30.12.212:8080 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;

how to fix problem and run Skype?

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

First Packet Isn't SYN suggests the application thinks the connection with the proxy is still open, whereas the firewall has timed out the connection due to inactivity.

What happens when you quit and restart the Skype application?

0 Kudos
Dilmurat_Zakiro
Participant

hi! Thank you for your response!

 when i  quit and restart the Skype application - the problem remains the same. 

the problem is fixed by upgrading skype to last 8.12 version. exeption is windows 10 - this version of skype(8.12) is not compatible with windows 10.

0 Kudos
Hugo_vd_Kooij
Advisor

I recommend to use Smartview Tracker for this. Find the First packet isn't SYN line.

Then filter on Client IP, Client port, Server IP and Server port and you should see an accept line at least an hour ahead of this.

If that is the case I recommend you change you TCP Keep-Alive settings to 900 seconds (15 minutes) instead of the default 7200 seconds (2 hours).

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Thomas_Fortner
Explorer

Also, the SYN packet should not be on port 55980, which makes me wonder about the Skype configuration. These are the ports required by Skype:

  • 443/TCP
  • 3478-3481/UDP
  • 49152-65535/UDP + TCP

The SYN packet should be on TCP 443, and once the three way handshake has been established, then a high port is used for the conversation stream, which should be 49152-65535 UDP. Ports 3478-3481 are for directory and status updates, not the media stream. Since RTP is a UDP protocol (and thus stateless) the SYN packet message in the tcpdump applies to the connection to Skype, not the conversation stream.

Tom Fortner

Check Point Certified Master Architect

Fort Worth, Texas

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events