Cisco ASA troubleshooting using sh conn command

Fall Road Trip

When you are troubleshooting TCP connection on the Cisco ASA firewall. The ‘sh conn’ output provides lots of important information about the state of the connection. Below is the flag details and example output of the sh conn command on the Cisco ASA

Inbound connection
Inbound connection

outbound connection
Outbound connection

To see all the images in the app click on the blog banner picture and you will able to see all the images in the post

From the first line of output you can figure out that for the outbound connection, first SYN packet has been sent to firewall.

In the second line you can see the outbound data is flowing from client to server.

Similarly for other connections by checking the flag you can figure out the state of the connection.

=====================================
ASA# show conn protocol tcp
104 in use, 7777 most used
TCP outside 10.10.10.59:5223 inside 192.168.10.10:52419, idle 0:00:11, bytes 0, flags saA
TCP outside 192.168.10.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO
TCP outside 10.10.10.217:5223 inside 192.168.10.10:52425, idle 0:00:10, bytes 0, flags saA
TCP outside 10.10.10.217:443 inside 192.168.10.10:52427, idle 0:01:02, bytes 4504, flags UIO
TCP outside 10.10.10.57:5223 inside 192.168.10.10:52412, idle 0:00:23, bytes 0, flags saA
TCP outside 10.10.10.116:5223 inside 192.168.10.10:52408, idle 0:00:23, bytes 0, flags saA
TCP outside 10.10.10.60:5223 inside 192.168.10.10:52413, idle 0:00:23, bytes 0, flags saA
TCP outside 10.10.10.96:5223 inside 192.168.10.10:52421, idle 0:00:11, bytes 0, flags saA
TCP outside 10.10.10.190:5223 inside 192.168.10.10:52424, idle 0:00:10, bytes 0, flags saA
=====================================

tcp flags