Support Center > Search Results > SecureKnowledge Details
"Connection terminated before detection" in log reason for Unified Rulebase Technical Level
Symptoms
  • The connection is terminated before detection of required filter criteria. The log shows the following reasons:

    • "Connection terminated before detection: No TCP payload."
    • "Connection terminated before detection: No UDP payload."
    • "Connection terminated before detection: No SSL applicative data."
    • "Connection terminated before detection: Insufficient data."

    • Or starting at R81.10 it shows the following:
    • "Connection terminated before the Security Gateway was able to make a decision: ..."
Solution

This is an expected behavior.

Important notes:
  - The Security Gateway did not drop the connection.
  - There will be no drop print in the debugs.
  - The log is not necessarily due to unwanted behavior of the edge client or the server.
  
A Unified Policy may contain filter criteria that cannot be resolved on the connection's first packet, such as Application or Data. Therefore, on some connections, the final rule match decision will occur on the following data packets. Until the final decision is reached, the incoming data packets are accepted by rule base, if there is a rule that allows it (meaning if one of the possibly matched rules is not with Drop/Reject action).

In scenarios in which the connection ends without application data content at all (no data packets), or the amount of data is not enough for the required engine detection, the rule base will issue an Accept log with the first rule that allows the traffic. This rule may not have complete adequacy with all the applicative criteria because some of them have not been detected yet.

The corresponding log will contain one of the following Reason strings:

Error message Reason
Connection terminated before detection: No TCP payload. The TCP connection was established but after the 3-way handshake, packets containing data have not arrived from one of the sides (client or server).
Connection terminated before detection: No UDP payload.  UDP packets containing data have not arrived from the client or from the server.
Connection terminated before detection: No SSL applicative data. The SSL handshake has started or finished, but packets containing encrypted applicative data have not arrived at the Gateway.
Connection terminated before detection: Insufficient data. <X> bytes passed Data packets have arrived, but the amount of data was not enough for the engine detection. The string will also state the number of data bytes (TCP/UDP payload) that may pass the Gateway.

The following video explains on what is possible match and on the mentioned logs -

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment