Don’t Forget about the ASA’s “show conn” Command

I often find myself troubleshooting connections through an ASA. As a firewall, the ASA is often blamed for network connectivity issues. Therefore, we often just want to determine if the issue is upstream or downstream from the firewall. One of the first things that comes to mind is the packet capture capability. However, there is a simpler tool that may quickly answer these types of questions. That tool is the “show conn” command.

The show conn command can be filtered to a particular IP address and can demonstrate the current state of a connection. If the connection isn’t listed at all, the initiating packet probably isn’t making it into the ASA’s logic.

Note to reader: All ASA content can be accessed by clicking here (or choosing ASA from the menu at the top of the page).

A quick examination of this command leaves a lot to be desired.

ASA# show conn
11 in use, 338 most used
TCP outside inside, idle 0:00:40, bytes 7913, flags UIO
TCP outside inside, idle 0:01:02, bytes 7677, flags UIO
TCP outside inside, idle 0:00:00, bytes 0, flags saA
TCP outside inside, idle 0:00:05, bytes 40992, flags UIO
TCP outside inside, idle 0:02:25, bytes 5314, flags UIO
TCP outside inside, idle 0:00:39, bytes 2825, flags UIO
TCP outside inside, idle 0:00:39, bytes 3937, flags UIO
TCP outside inside, idle 0:00:09, bytes 23908, flags UIO
TCP outside inside, idle 0:00:03, bytes 127339, flags UIO
TCP outside inside, idle 0:00:14, bytes 102320, flags UIO

Although we can easily filter it using the address parameter, there are likely a lot of remaining questions.

ASA# show conn address
11 in use, 338 most used
TCP outside inside, idle 0:00:04, bytes 0, flags saA

Notice the flags in the output. These should surely shed some light on the connection status.

show conn

By adding the detail keyword, the ASA will share the meaning of the possible flag values.

ASA# show conn address detail

show conn detail

As shown above, the flags saA indicates that this connection is awaiting the outside syn (s), outside ack (a), and inside ack (A). When we apply our TCP knowledge of the three way handshake (syn, syn-ack, ack), we can deduce that the ASA has only seen the inside SYN. Since the “outside syn” has not been seen, everything else is irrelevant.

Given this scenario, an administrator can see that the problem is somewhere between the outside interface and the server. In this case, the server simply didn’t exist.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Career and tagged . Bookmark the permalink.

5 Responses to Don’t Forget about the ASA’s “show conn” Command

  1. Daniel says:

    Wow, very useful indeed. I didn’t know about this command. You’re quite right, sometimes the 1st thought from other Teams when something is not working is “Is the ASA blocking this??”

    I’ll bookmark this one, thanks for sharing Paul!

  2. Pingback: Internets of Interest for 24th April 2014 - EtherealMind

  3. Yes it is useful – thanks for the post Paul. I have a love-hate relationship with it though as I got an inordinate number of questions on the connection flags in the CCNP Firewall exam. :-p

    n.b. – I think you mean “exist” in your final sentence in the post above.

  4. shriman pachouri says:

    idle 0:00:00, bytes 646447447, flags UIO
    ……..what is the meaning of idle 0:00:00 & bytes 646447447

    • Avinash Sahu says:

      HI shriman its means this traffic flow has completed the 3 way TCP handshake(U),has had both inbound(I) and outbound(O) pkts.

Comments are closed.