Monday, 13 July 2020

Cisco ASA connection flags


Checking Different State Connection Flag on ASA
Topology-
R1 Fa0/0- 10.10.10.2/24
ASA E0/0- 10.10.10.1/24 (outside)
ASA E0/1- 10.20.20.1/24 (inside)
R2 Fa0/0- 10.20.20.2/24
Flags: A - awaiting inside ACK to SYN,
       a - awaiting outside ACK to SYN,
       B - initial SYN from outside,
       C - CTIQBE media,
       D - DNS,
       d - dump,
       E - outside back connection,
       F - outside FIN,
       f - inside FIN,
       G - group,
       g - MGCP,
       H - H.323,
       h - H.225.0,
       I - inbound data,
       i - incomplete
     , J - GTP,
       j - GTP data,
       k - Skinny media,
       M - SMTP data,
       m - SIP media,
       O - outbound data,
       P - inside back connection,
       q - SQL*Net data,
       R - outside acknowledged FIN,
       R - UDP RPC,
       r - inside acknowledged FIN,
       S - awaiting inside SYN,
       s - awaiting outside SYN,
       T - SIP,
       t - SIP transient,
       U - up

1)      When doing telnet from R2 to R1.

Once the connection is establish from inside host to outside – Flag will be UIO.

      UIO which signifies it is Up Inbound Data and Outbound Data and the Connection is established and data is traversing both ways.

2)      When I do telnet from R1 which is outside to inside host after doing one to one NAT

Once connection from outside to inside is established – Flag will be UIOB.
UIOB is nothing but a connection established from outside.
      B = initial SYN from outside
 

3)      Telnet on port 80 from outside to inside


Flag will be set to UB.

UB- Connection is UP and Initial SYN from Outside.



4)      Now when I telnet on port 80 from Inside host to outside.


5)      Now if I do a telnet on port 80 on any outside IP which is not reachable as of now.


saA- Awaiting SYN-ACK from outside.

6)       Now telnet on port 80 for any false inside IP from Router R1.
 


SaAB- Awaiting inside SYN B- Since this packet was originated from outside.

Here I added one more Router R3.
R3 Fa0/0- 20.20.20.2/24
R1 Fa0/1- 20.20.20.1/24
        
          Telnet  from R3 to R2 and login with vty password.

UIOB- As expected since connection is established from outside.
Now I block ACK packet on R1.


aB- Awaiting SYN from Inside and B since packet was originated from outside.



Summary :- 
When you troubleshoot TCP connections through the Adaptive Security Appliance (ASA), the connection flags shown for each TCP connection provide a wealth of information about the state of TCP connections to the ASA. This information can be used to troubleshoot problems with the ASA, as well as problems elsewhere in the network.

Here is the output of the show conn protocol tcp command, which shows the state of all TCP connections through the ASA. These connections can also be seen with the show conn command.
ASA# show conn protocol tcp
101 in use, 5589 most used
TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA
TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO
TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saA
TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags UIO
TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.116:5223 inside 192.168.1.3:52408, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.60:5223 inside 192.168.1.3:52413, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.96:5223 inside 192.168.1.3:52421, idle 0:00:11, bytes 0, flags saA
TCP outside 10.23.232.190:5223 inside 192.168.1.3:52424, idle 0:00:10, bytes 0, flags saA
The next picture shows the ASA TCP Connection flags at different stages of the TCP state machine. The connection flags can be seen with the show conn command on the ASA.

TCP Connection Flag Values

Additionally, in order to view all of the possible connection flags issue the show connection detail command on the command-line:
ASA5515-X# show conn detail
35 in use, 199 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, b - TCP state-bypass or nailed,
       C - CTIQBE media, c - cluster centralized,
       D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, n - GUP
       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS,
       X - inspected by service module,
       x - per session, Y - director stub flow, y - backup stub flow,
       Z - Scansafe redirection, z - forwarding stub flow