According to sk113479, what is happening is the connection is terminated (either by the client or server) prior to the firewall being able to do a deep layer (application/URL Filtering/data/etc.) inspection. Basically the firewall has allowed the original connection based on OSI layers 1-4 because it is still has not passed data in layers 4-7 to determine the actual application/URL/Data/etc. in use by the connection. Since the packet was dropped prior to having this information, the firewall has not come up with a final match within the rule base. Without this final match, the connection would not create a log, so to make sure the connection is logged, the firewall uses this log to let you know the connection was attempted, but there was not enough information to reach a final match and determine if the connection should have been allowed or dropped.
Watch the video in the sk - it goes into more depth about this. Wait for the final example - that is where this is explained in better detail.
