In earlier versions of IVE (pre 6.1 I think) there used to be a network connect user log which could be optionally enabled for precisely this reason, under dire warnings of potential performance problems caused by logging these packets. For reasons that were never explained it was dropped. This now makes troubleshooting NC incredibly difficult especially when dealing with "messy" protocols such as Windows Domain auth and SMB which make random connections all over the place.
Whilst it is possible to do client-side logging, It doesn't do per-packet logging.
Not ideal, but the best solution I have is to install Wireshark or similar on a test PC, capture on the network connect interface and look for unreturned TCP syns/ restransmits from the client PCs. This is incredidly labour intenstive compared to look for a "deny" in an event log and adding that destination/port to the ACL.