Respond to Incomplete connection closed log messages

Logs that contain “incomplete connection closed” messages indicate that a Firewall determined that a connection was unsuccessful and removed it from its records.

“Incomplete connection closed” messages are shown in logs when the Firewall allows a connection and passes the first packet of a connection (the SYN packet), but the reply packet (SYN/ACK) from the destination host does not arrive at the Firewall.

One of the following situations can cause the connection to be incomplete:

  • The SYN packet did not reach the destination.
  • The SYN packet reached its destination, but the destination host did not send any reply.
  • The SYN packet reached its destination and the destination host replied, but the reply packet did not reach the Firewall.

It is normal to see a few of these messages in the log from time to time. However, a higher number of these messages can indicate problems in your network or the communicating applications.

Steps

  1. If this message appears in the logs often for legitimate traffic, there is a networking problem that you must address. Use normal network troubleshooting tools to find out where the packets are lost. You can generate a tcpdump file by taking a Traffic Capture from the SMC.
  2. In some cases, SYN packets can be sent maliciously to random hosts as an attempt to find out your network structure. These attempts can sometimes be seen as SYN packets to hosts that do not exist. If access to those addresses is allowed and routable, this process can trigger the Incomplete Connection Closed messages. The possibility of successful scans can be reduced by using dynamic NAT on the Firew all.