Support Center > Search Results > SecureKnowledge Details
"Connection terminated before detection" in log reason for Unified Rulebase Technical Level
Symptoms
  • The connection is terminated before detection of required filter criteria. The log shows the following reasons:

    • "Connection terminated before detection: No TCP payload."
    • "Connection terminated before detection: No UDP payload."
    • "Connection terminated before detection: No SSL applicative data."
    • "Connection terminated before detection: Insufficient data."
Solution

This is an expected behavior.

A Unified Policy may contain filter criteria that cannot be resolved on the connection's first packet, such as Application or Data. Therefore, on some connections, the final rule match decision will occur on the following data packets. Until the final decision is reached, the incoming data packets are accepted by rule base, if there is a rule that allows it (meaning if one of the possibly matched rules is not with Drop/Reject action).

In scenarios in which the connection ends without applicative data content at all (no data packets), or the amount of data is not enough for the required engine detection, the rule base will issue an Accept log with the first rule that allows the traffic. This rule may not have complete adequacy with all the applicative criteria because some of them have not been detected yet.

The corresponding log will contain one of the following Reason strings:

Error message Reason
Connection terminated before detection: No TCP payload. The TCP connection was established but after the 3-way handshake, packets containing data have not arrived from one of the sides (client or server).
Connection terminated before detection: No UDP payload.  UDP packets containing data have not arrived from the client or from the server.
Connection terminated before detection: No SSL applicative data. The SSL handshake has started or finished, but packets containing encrypted applicative data have not arrived at the Gateway.
Connection terminated before detection: Insufficient data. <X> bytes passed Data packets have arrived, but the amount of data was not enough for the engine detection. The string will also state the number of data bytes (TCP/UDP payload) that may pass the Gateway.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment