I often find myself troubleshooting connections through an ASA. As a firewall, the ASA is often blamed for network connectivity issues. Therefore, we often just want to determine if the issue is upstream or downstream from the firewall. One of the first things that comes to mind is the packet capture capability. However, there is a simpler tool that may quickly answer these types of questions. That tool is the “show conn” command.
The show conn command can be filtered to a particular IP address and can demonstrate the current state of a connection. If the connection isn’t listed at all, the initiating packet probably isn’t making it into the ASA’s logic.
Note to reader: All ASA content can be accessed by clicking here (or choosing ASA from the menu at the top of the page).
A quick examination of this command leaves a lot to be desired.
ASA# show conn 11 in use, 338 most used TCP outside 220.127.116.11:443 inside 192.168.2.18:56154, idle 0:00:40, bytes 7913, flags UIO TCP outside 18.104.22.168:443 inside 192.168.2.18:56153, idle 0:01:02, bytes 7677, flags UIO TCP outside 192.168.1.111:23 inside 192.168.2.18:56160, idle 0:00:00, bytes 0, flags saA TCP outside 22.214.171.124:443 inside 192.168.2.18:55784, idle 0:00:05, bytes 40992, flags UIO TCP outside 126.96.36.199:5223 inside 192.168.2.18:55552, idle 0:02:25, bytes 5314, flags UIO TCP outside 188.8.131.52:80 inside 192.168.2.18:56157, idle 0:00:39, bytes 2825, flags UIO TCP outside 184.108.40.206:80 inside 192.168.2.18:56156, idle 0:00:39, bytes 3937, flags UIO TCP outside 220.127.116.11:5222 inside 192.168.2.18:55555, idle 0:00:09, bytes 23908, flags UIO TCP outside 18.104.22.168:443 inside 192.168.2.18:56112, idle 0:00:03, bytes 127339, flags UIO TCP outside 22.214.171.124:443 inside 192.168.2.18:55553, idle 0:00:14, bytes 102320, flags UIO ASA#
Although we can easily filter it using the address parameter, there are likely a lot of remaining questions.
ASA# show conn address 192.168.1.111 11 in use, 338 most used TCP outside 192.168.1.111:23 inside 192.168.2.18:56160, idle 0:00:04, bytes 0, flags saA ASA#
Notice the flags in the output. These should surely shed some light on the connection status.
By adding the detail keyword, the ASA will share the meaning of the possible flag values.
ASA# show conn address 192.168.1.111 detail
As shown above, the flags saA indicates that this connection is awaiting the outside syn (s), outside ack (a), and inside ack (A). When we apply our TCP knowledge of the three way handshake (syn, syn-ack, ack), we can deduce that the ASA has only seen the inside SYN. Since the “outside syn” has not been seen, everything else is irrelevant.
Given this scenario, an administrator can see that the problem is somewhere between the outside interface and the server. In this case, the server simply didn’t exist.