I am trying to solve a problem that probably is not firewall related, but it would help us a lot if we could see how a connection ended.
We activated TCP State Logging as described in sk101221. And we see log entries that contain a "TCP State" entry. Unluckily this is only available for 10% of all TCP sessions. Most TCP sessions do not contain any TCP State. This is surprising as we selected "3" (When connection state change), so we would expect every connection to have a TCP State.
All connections were accepted.
I was using to "fw log" to analyse the log as SmartConsole requires you to click on a log entry to see if there is a TCP State and we have thousands of log entries. But from checking from SmartConsole, the percentage of log entries containing a TCP State is mostly the same. We made sure the connection started and ended in the same log file.
Are some connections excluded from Reporting the TCP State? I see no limitation in the sk101221.
What I noticed:
- Entries with "LogId: 9" always have a TCP State.
- Entries with a LogId other than "9" never have a TCP State.
Environment: VSX, R81.10
Sincerely yours, Martin