Reminder of Cisco ASA Firewall troubleshooting “show conn” and the meaning of “flags”, hands on work!

security-asa-5510_frnt_1000

If you are looking at the connections on the firewall, understanding the connection’s flags is important to understand the status of the connections, specially if you are troubleshooting or want to confirm a connection.

Cisco ASA firewall command “show conn” and the meaning of the flags:

113602-ptn-113602-01

ciscoasa# show conn details
src_IP.............  dst_IP........, idle times.. bytes xxx, flags UIO

Flags:

A – awaiting inside ACK to SYN
a – awaiting outside ACK to SYN

B – initial SYN from outside
b – TCP state-bypass or nailed

C – CTIQBE media
c – cluster centralised

D – DNS
d – dump

E – outside back connection

F – outside FIN
f – inside FIN,

G – group
g – MGCP

H – H.323
h – H.225.0

I – inbound data
i – incomplete

J – GTP
j – GTP data

K – GTP t3-response
k – Skinny media

M – SMTP data
m – SIP media

n – GUP

O – outbound data

P – inside back connection
p – Phone-proxy TFTP connection,

q – SQL*Net data

R – outside acknowledged FIN,
R – UDP SUNRPC
r – inside acknowledged FIN

S – awaiting inside SYN,
s – awaiting outside SYN

T – SIP
t – SIP transient

U – up,

V – VPN orphan

W – WAAS,

X – inspected by service module,
x – per session

Y – director stub flow
y – backup stub flow,

Z – Scansafe redirection
z – forwarding stub flow

 

Another illustration

113602-ptn-113602-02

images are from Cisco.com
also a brief article from cisco.com http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html

Keep practicing and testing different commands, “practice makes perfect”

FeijaoUK