Paired ICON registration failing with Lifesize Cloud Nodes when ICON is behind Palo Alto Firewall

Document created by nrajurkar Support on Jul 19, 2017Last modified by nrajurkar Support on Jul 19, 2017
Version 2Show Document
  • View in full screen mode

Issue: ICON paired successfully with Lifesize Cloud but ICON registration is failing.

 

Error messages printed in ICON sys.log:

2017-07-13 11:45:36.751003 LifeSize-09:EC:79 SignalingServer: {COMM:HttpClient.c:1680:ERR}-1:css_cluster_request perform_multi_http_request failed

2017-07-13 11:45:36.751209 LifeSize-09:EC:79 SignalingServer: {COMM:HttpClient.c:1689:DIAG}-1:css_cluster_request() No response from lifesizecloud.com

2017-07-13 11:45:36.751867 LifeSize-09:EC:79 SignalingServer: {COMM:HttpClient.c:1841:I}-1:Exiting css_discovery() server discovery CSS_HTTP_FAILURE domain=lifesizecloud.com ip=lifesizecloud.com

 

Analysis:

1. ICON is able to establish TCP connection towards Lifesize Cloud node over port 443.

2. But TLS handshake with Cloud Node is rejected by ICON with Alert "Unknown CA"

3. Network traces on ICON shows that Server Certificate provided Cloud node is modified.

4. Due to this ICON is rejecting TLS Handshake.

5. Hence further signaling between ICON and Cloud Node is not happening causing ICON registration failure.

 

Resolution:

Create rule in Palo Alto firewall to put Lifesize Cloud Node IPs in Decryption Exemption.

Steps:

1. Create Entries of Lifesize Node IPs in "Objects ---> Addresses"

2. Create Entry "Lifesize Cloud" in  "Objects ---> Address Groups" and assign Lifesize Node IP Entries to this group.

3. Go to "Policies" Tab ---> Under "Security" go to "Decryption" --->  Create new "Decryption Policy Rule" as below mentioned in below screen-shots.
Note: Make sure you select "No Decrypt" under Options Tab

 

 

1 person found this helpful

Attachments

    Outcomes