Limitations of Connection Logging

You cannot log:

The outer session of a plaintext, passthrough tunnel whose encapsulated connections are inspected by access control.
TCP connections if the three-way handshake is not completed, to avoid denial-of-service attacks against your firewalls. To monitor or debug failed connections, you can use the packet capture feature (Packet Capture Overview).