Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Netadmin2020
Collaborator
Jump to solution

Connection terminated before detection. Action Passed

Hello again,

I have the bellow issue from time to time and I am searching to see what lies behind. 

 

 

 

I red for the early drop optimization and for packet out of states.

early drop.JPG

In my case the traffic always accepted but in some cases with above message.

What are you proposing ?

 

thanx!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

If by destination you mean a specific IP, that can be blocked at the TCP SYN.
If the destination is a specific application or a specific action in an application, traffic has to be allowed until such application or action is detected.
At that point, the connection is terminated.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

What precise rule is accepting the traffic? This could be expected behavior.

Consider what is required to determine you are tying to access, say: Gmail.
If I open a TCP connection to 192.0.2.1 port 443, the first packet sent is a TCP SYN. Here’s what I know from that:

  1. It’s likely a web-based connection. That said, anything can use port 443, so that’s only an assumption.
  2. It could be a connection to do a Google search, gmail, Google Maps, Google Drive, or any other Google property. Or Office 365 apps. Or something else.
  3. I might be able to do a reverse lookup on the IP to see where it’s going, but that adds latency and provides no guarantee the lookup will show you anything that will help identify the app or website. Or tell you if the content being served up is actually safe.

Bottom line: more information is needed. A few more packets must be let through on the connection before we know exactly what it is.

Meanwhile, the error seems to indicate that the TCP connection terminated before we could figure out precisely what application it was.
Which, given how Application Control works, is something that can (and does) happen.

Netadmin2020
Collaborator

Good Morning and I wish a happy new year for all of us!

I am attaching everything requested below:

1.PNG

2.PNG

3.PNG

4.PNG

application.PNG

rule150.PNG

0 Kudos
PhoneBoy
Admin
Admin

That basically confirms what I was saying above: not quite enough bytes to classify the traffic under rule 150.1.
However, because you have an App Control rule, some traffic has to be allowed in order to attempt classification.
This is expected behavior.

Netadmin2020
Collaborator

This rule was just an example but behavior could be the same for other rules. So you mean that this will not be a problem to the user side?

0 Kudos
PhoneBoy
Admin
Admin

Shouldn't be since the traffic is being allowed.

0 Kudos
Netadmin2020
Collaborator

So no further actions are required ? 

0 Kudos
Netadmin2020
Collaborator

As far as I understand some data should pass for the classification to be completed but finally the action may be blocked, if there is a rule with deny action to specific destinations.

0 Kudos
PhoneBoy
Admin
Admin

If by destination you mean a specific IP, that can be blocked at the TCP SYN.
If the destination is a specific application or a specific action in an application, traffic has to be allowed until such application or action is detected.
At that point, the connection is terminated.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events