locked
Telnet to Port 5061 on Skype Edge Servers fails - Federation RRS feed

  • Question

  • Skype for business Edge Pool with 3 Edge Servers. Each Server has 4 network interface, One internal and the rest 3 each for AE, AV and WC.

    Scaled consolidated edge, DNS load balancing with public IP addresses.

    We are planning to move our Federation from Lync 2013 Edge Pool to Skype for business 2015 Edge Pool. As part of federation move we had port 5061 opened in the firewall inbound and outbound.  Telnet to Port 5061 is failing on Skype Edge Servers for federation.  Checkpoint firewall is accepting the connection just fine, further troubleshooting using wireshark/Netmon found that TCP packets received on the host is resubmitting the packets.  I ran Netmon on one of our Edge Server and captured the traffic while I tried telnet from a workstation. From the logs, I see workstation sends syn request to the host(Edge Servers), Host receives and sends ACK and immediately it retransmits the packets again and this continues further.  

    Below snapshot shows the retransmission packets. My understanding is that this isolates firewall issue because traffic reaches host (edge Servers) and fails at host. This issue is same on all 3 edge servers and am not sure what needs to be checked further from application end, any further input is really helpful?

    

    Wednesday, June 28, 2017 5:47 AM

Answers

  • I had it checked with port peeker and port 5061 was listening it was never an issue with Checkpoint and it was pretty evident that I just had to ensure federation was listening on host.   On the host side (edge) we enabled federation and telnet was listening and everything is fine.  
    • Edited by shadythang Wednesday, July 12, 2017 7:25 PM
    • Marked as answer by shadythang Wednesday, July 12, 2017 7:26 PM
    Wednesday, July 12, 2017 6:45 PM

All replies

  • Did you use default 5061 config in Checkpoint? If you did, that's not going t work. Remove that and create a custom TCP port 5061 rule and then assign that to Access IP. Then try Telnet. It should work. It's a known thing in Checkpoint that the default 5061 rule does not allow traffic the way it wants.

    http://thamaraw.com

    • Proposed as answer by Allen_WangJF Thursday, June 29, 2017 9:32 AM
    Wednesday, June 28, 2017 6:41 AM
  • Thanks Thamara for your quick response. I have asked my network team to check on checkpoint, will update you as soon as I hear from them.

    Just to add further we are able to telnet on port 443 just fine, its just the port 5061.  Hopefully we should get an update tomorrow from our network team on the checkpoint stuff.

    • Edited by shadythang Wednesday, June 28, 2017 11:45 PM
    Wednesday, June 28, 2017 11:43 PM
  • I recon the default 5061 template in Checkpoint is the issue. Let us know how it goes :)


    http://thamaraw.com

    Thursday, June 29, 2017 1:10 AM
  • I had it checked with port peeker and port 5061 was listening it was never an issue with Checkpoint and it was pretty evident that I just had to ensure federation was listening on host.   On the host side (edge) we enabled federation and telnet was listening and everything is fine.  
    • Edited by shadythang Wednesday, July 12, 2017 7:25 PM
    • Marked as answer by shadythang Wednesday, July 12, 2017 7:26 PM
    Wednesday, July 12, 2017 6:45 PM