This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Netadmin2020
Contributor
‎2020-12-31 08:58 AM

Connection terminated before detection. Action Passed

Jump to solution

Hello again,

I have the bellow issue from time to time and I am searching to see what lies behind. 

 

 

 

I red for the early drop optimization and for packet out of states.

early drop.JPG

In my case the traffic always accepted but in some cases with above message.

What are you proposing ?

 

thanx!

0 Kudos
Reply
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-01-01 11:23 AM
In response to Netadmin2020

Jump to solution

If by destination you mean a specific IP, that can be blocked at the TCP SYN.
If the destination is a specific application or a specific action in an application, traffic has to be allowed until such application or action is detected.
At that point, the connection is terminated.

View solution in original post

0 Kudos
Reply
8 Replies
PhoneBoy
Admin
Admin
‎2020-12-31 12:42 PM

Jump to solution

What precise rule is accepting the traffic? This could be expected behavior.

Consider what is required to determine you are tying to access, say: Gmail.
If I open a TCP connection to 192.0.2.1 port 443, the first packet sent is a TCP SYN. Here’s what I know from that:

  1. It’s likely a web-based connection. That said, anything can use port 443, so that’s only an assumption.
  2. It could be a connection to do a Google search, gmail, Google Maps, Google Drive, or any other Google property. Or Office 365 apps. Or something else.
  3. I might be able to do a reverse lookup on the IP to see where it’s going, but that adds latency and provides no guarantee the lookup will show you anything that will help identify the app or website. Or tell you if the content being served up is actually safe.

Bottom line: more information is needed. A few more packets must be let through on the connection before we know exactly what it is.

Meanwhile, the error seems to indicate that the TCP connection terminated before we could figure out precisely what application it was.
Which, given how Application Control works, is something that can (and does) happen.

Reply
Netadmin2020
Contributor
‎2021-01-01 12:01 AM
In response to PhoneBoy

Jump to solution

Good Morning and I wish a happy new year for all of us!

I am attaching everything requested below:

1.PNG

2.PNG

3.PNG

4.PNG

application.PNG

rule150.PNG

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2021-01-01 12:15 AM
In response to Netadmin2020

Jump to solution

That basically confirms what I was saying above: not quite enough bytes to classify the traffic under rule 150.1.
However, because you have an App Control rule, some traffic has to be allowed in order to attempt classification.
This is expected behavior.

Reply
Netadmin2020
Contributor
‎2021-01-01 12:22 AM
In response to PhoneBoy

Jump to solution

This rule was just an example but behavior could be the same for other rules. So you mean that this will not be a problem to the user side?

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2021-01-01 12:23 AM
In response to Netadmin2020

Jump to solution

Shouldn't be since the traffic is being allowed.

0 Kudos
Reply
Netadmin2020
Contributor
‎2021-01-01 12:47 AM
In response to PhoneBoy

Jump to solution

So no further actions are required ? 

0 Kudos
Reply
Netadmin2020
Contributor
‎2021-01-01 01:24 AM

Jump to solution

As far as I understand some data should pass for the classification to be completed but finally the action may be blocked, if there is a rule with deny action to specific destinations.

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2021-01-01 11:23 AM
In response to Netadmin2020

Jump to solution

If by destination you mean a specific IP, that can be blocked at the TCP SYN.
If the destination is a specific application or a specific action in an application, traffic has to be allowed until such application or action is detected.
At that point, the connection is terminated.

View solution in original post

0 Kudos
Reply