I' m replying to my own post in case anyone else finds this useful. I have an open ticket with FTNT on this issue. I have a workaround in place for now by whitelisting all the IP' s associated with Skype logins. There appears to be a Skype login problem (at least with my config) if SSL certificate inspection is turned on. These Skype IPs can be found by running this BASH script:

 #!/bin/bash
 for i in {0..20} ; do dig +short dsn$i.skype-dsn.akadns.net; done | sort | uniq

If you don' t want to enter all 107 unique Skype addresses into the firewall, you can come close by using these class C' s: 111.221.74.0/24 111.221.77.0/24 157.55.130.0/24 157.55.235.0/24 157.55.56.0/24 157.56.52.0/24 213.199.179.0/24 64.4.23.0/24 65.55.223.0/24 (Credit to http://pingtool.org/block-skype-connection/ for the script and address info.) Just put them as destination addresses in a separate policy that does not have SSL inspection turned on. I realize these are static addresses and that Skype addresses are potentially dynamic. However, the above addresses have been stable for at least the last year or two. For me, that' s good enough for a temporary work-around.

I've been in a dialog with tech support on this issue. 

 

There are some issues with scanning SSL connections using a proxy connection. If you switch to using flow mode for your scanning, Skype will work. This is for 5.0.7, but I imagine this works for 5.2 as well.

 

You can also turn off port 443 scanning in 5.0.7, and it should default to certificate scanning at that point.

 

Ultimately, there will be changes coming down to 5.4 and beyond that will address some of these issues. We need a function to whitelist an app (like Skype), and I believe this is in the works.