Because not enough traffic has passed through to actually allow the firewall to do any app-id analyses. Once enough traffic has actually passed they will be updated with the identified app-id.
In my experience, an incomplete usually signifies either a routing issue or the remote server is blocking/not allowing the connection.
The answers so far have explained reasons for the app to show as Incomplete.
If I read it correctly, I think the question is more along the lines of "Why does the CLI show 'undecided' for the application but the GUI shows 'incomplete' for the same session?"
The answer to that is based on the state of the session:
- If the session is not yet completed, the application identification may still happen since there's still packet flow, so the firewall shows it as undecided.
- When the session ends, you should see it switch from undecided to incomplete. Since the session's done, there's no chance the app will get identified later.
If you're looking at traffic logs, that session is complete and thus the firewall can definitively state that the application ID never completed.
Following up with your response.
This is the issue I'm having with a VM-300 firewall running on an ESXi server.
I have a firewall rule allowing web-browsing, and the client can access the access sites via http, however the app-id is not properly identify in the logs as "web-browisng", it show it as "incomplete".
Why would the firewall not identify the app-id if enough sessions have passed the firewall Data Plane? The HTTP site loads with no issues.
Any guidance is appreciated.
I just read BPry response, however I'm able to browse the website, which is not encrypted, I open diferent links inside the website, and they load with no issues, but when I check the traffic logs it doesn't identify the traffic as "web-browsing".
What I did notice is the FW is not having issue identifying UDP traffic as DNS, or even ICMP traffic. The issue seems to be related to traffic using TCP. I get the same behavior when browsing to HTTPS sites, it shows the app-id as incomplete as well.
I'm using an ESXi host, and a VM-300 with 8.1.3. I'm confused about this app-id behivor.
Do you think doing a flow basic will reveal where the issue is?
Any guidance is appreciated.
give me example of website which you see this behaviour?
normally incomplete means PA do not see enough data to identify the application.
Sometimes it is also due to the tcp 3 way handshake did not complete.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!