Create a Post
Showing results for 
Search instead for 
Did you mean: 

TCP State Logging: Only 10% of the connections have a TCP State


I am trying to solve a problem that probably is not firewall related, but it would help us a lot if we could see how a connection ended.

We activated TCP State Logging as described in sk101221. And we see log entries that contain a "TCP State" entry. Unluckily this is only available for 10% of all TCP sessions. Most TCP sessions do not contain any TCP State. This is surprising as we selected "3" (When connection state change), so we would expect every connection to have a TCP State.

All connections were accepted.

I was using to "fw log" to analyse the log as SmartConsole requires you to click on a log entry to see if there is a TCP State and we have thousands of log entries. But from checking from SmartConsole, the percentage of log entries containing a TCP State is mostly the same. We made sure the connection started and ended in the same log file.

Are some connections excluded from Reporting the TCP State? I see no limitation in the sk101221.

What I noticed:

  • Entries with "LogId: 9" always have a TCP State.
  • Entries with a LogId other than "9" never have a TCP State.

Environment: VSX, R81.10

Sincerely yours, Martin

0 Kudos
3 Replies

TCP state logging is a rather old feature introduced in R77.10; I'm wondering if the big SecureXL changes in R80.20 are not compatible with it, and as such you are only seeing TCP state for F2F/slowpath traffic for which you normally want to see 10% or less.  You could try forcing critical traffic for which you must see TCP state info into F2F/slowpath as described here and see if it makes a difference: sk104468: How to disable SecureXL for specific IP addresses

Looking at the current list of sim-specific kernel variables, I don't see one corresponding to fwconn_tcp_state_logging.  So trying to do a fw ctl set int of this variable with the -a argument to set it inside sim/SecureXL is unlikely to have any effect but might be worth a try too.


Updated 2023 IPS/AV/ABOT R81.20 Course now
available at
0 Kudos

Can you provide an example log card for connections that don't have TCP state?
Redact any sensitive details.
Recommend opening a TAC case in parallel.

0 Kudos

First thing I was going to suggest was to try disable sxl to see if that fixes the problem. Also, specific log entry related to it would help, just blur out any sensitive/orivate data.

0 Kudos