Cisco ASA Firewall troubleshooting show conn and the meaning of flags

Reminder of Cisco ASA Firewall troubleshooting “show conn” and the meaning of “flags”, hands on work!


If you are looking at the connections on the firewall, understanding the connection’s flags is important to understand the status of the connections, specially if you are troubleshooting or want to confirm a connection.

Cisco ASA firewall command “show conn” and the meaning of the flags:


ciscoasa# show conn details
src_IP.............  dst_IP........, idle times.. bytes xxx, flags UIO


A – awaiting inside ACK to SYN
a – awaiting outside ACK to SYN

B – initial SYN from outside
b – TCP state-bypass or nailed

C – CTIQBE media
c – cluster centralised

d – dump

E – outside back connection

F – outside FIN
f – inside FIN,

G – group
g – MGCP

H – H.323
h – H.225.0

I – inbound data
i – incomplete

j – GTP data

K – GTP t3-response
k – Skinny media

M – SMTP data
m – SIP media

n – GUP

O – outbound data

P – inside back connection
p – Phone-proxy TFTP connection,

q – SQL*Net data

R – outside acknowledged FIN,
r – inside acknowledged FIN

S – awaiting inside SYN,
s – awaiting outside SYN

t – SIP transient

U – up,

V – VPN orphan


X – inspected by service module,
x – per session

Y – director stub flow
y – backup stub flow,

Z – Scansafe redirection
z – forwarding stub flow


Another illustration


images are from
also a brief article from

Keep practicing and testing different commands, “practice makes perfect”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.