show conn on ACE

Answered Question
Mar 4th, 2008

I have some question related show conn on ace

the log like below:

ACEAD#1/130# show conn de | be 2633

2633 1 in TCP 330 100.254.130.13:39560 100.254.16.11:389 ESTAB

[ idle time : 00:33:21, byte count : 334 ]

[ elapsed time: 00:48:35, packet count: 5 ]

11239 1 out TCP 30 100.254.16.11:389 100.254.130.13:39560 CLOSED

[ conn in reuse pool : FALSE]

[ idle time : 00:33:21, byte count : 261 ]

[ elapsed time: 00:48:35, packet count: 3 ]

ACEAD#1/130# show conn de | be 2633

2633 1 in TCP 330 100.254.130.13:39560 100.254.16.11:389 ESTAB

[ idle time : 00:33:49, byte count : 334 ]

[ elapsed time: 00:49:03, packet count: 5 ]

11239 1 out TCP 30 100.254.16.11:389 100.254.130.13:39560 CLOSED

[ conn in reuse pool : FALSE]

[ idle time : 00:33:49, byte count : 261 ]

[ elapsed time: 00:49:03, packet count: 3 ]

100.254.130.13 is server side ip address.

100.254.16.11 is outside client's ip address

connection id 2633's connections status is ESTAB. but connection id 11239 is CLOSED

Is this a pair connection between 100.254.130.13 and 100.254.16.11?

In log, there are different connection id two flow each other.

If two connection is pair connection, why conn'id 2633 is ESTAB, and conn'id 11239 is CLOSED?

Or not, Is it a single flow , no related each other?

There are no explanation about this issue in document. I have no experience about this with Cisco ACE.

Anyone help me!.

I have this problem too.
0 votes
Correct Answer by Kristopher Martinez about 8 years 9 months ago

The output you provided in the beginning of the is two flows that make up a single connection.

When a client initiates a connection to the ACE virtual address two flows are created on the ACE. flow-1 is client to ACE and flow-2 is ACE to server. But both of these flows are tied together and make up the connection.

My assumption on what is happening in your output:

1. This is the flow from the ACE to the server. The server has sent a FIN so this is why the ACE displays the connection as closed.

11239 1 out TCP 30 x.x.x.x:389 x.x.x.x:39560 CLOSED

2. This is the flow between the client and the ACE. The ACE has not seen a FIN ACK from the client so the connection remains open.

2633 1 in TCP 330 x.x.x.x:39560 x.x.x.x:389 ESTAB

3. These flows will remain in the connectino table until the idle timer expires (half-closed) or the ACE recieves a FIN ACK, RST, etc. from the client.

Here is documentation on setting the different idle timers on ACE.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/tcpipnrm.html#wp1072427

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Wed, 03/05/2008 - 02:53

A TCP connection is actually 2 flows.

Each flow represent in direction.

So from client to server is one flow and from server to client is the other flow.

What you see is 2 flows of a single connection.

If one flow is CLOSED, it means the source sent a FIN.

If the other end is not CLOSED, it means we have not received the FIN yet.

TCP allows half-closed connection.

We have to wait for the connection to timeout or for the client to close it.

There is a tcp parameter you can use to set half-closed tcp timeout to something small so that those kind of connections do not stay 1 hour in your conn table.

Regards,

Gilles.

syjeon Wed, 03/05/2008 - 16:49

ok, you mean that the connection id 2633 and 11239 is a different connection? Is it right?

if so, How can I verify flow between client and server?

for example src:123 dst:100, src100: dst:123

like this.

ACE display only a initial connection?

Correct Answer
Kristopher Martinez Wed, 03/05/2008 - 19:10

The output you provided in the beginning of the is two flows that make up a single connection.

When a client initiates a connection to the ACE virtual address two flows are created on the ACE. flow-1 is client to ACE and flow-2 is ACE to server. But both of these flows are tied together and make up the connection.

My assumption on what is happening in your output:

1. This is the flow from the ACE to the server. The server has sent a FIN so this is why the ACE displays the connection as closed.

11239 1 out TCP 30 x.x.x.x:389 x.x.x.x:39560 CLOSED

2. This is the flow between the client and the ACE. The ACE has not seen a FIN ACK from the client so the connection remains open.

2633 1 in TCP 330 x.x.x.x:39560 x.x.x.x:389 ESTAB

3. These flows will remain in the connectino table until the idle timer expires (half-closed) or the ACE recieves a FIN ACK, RST, etc. from the client.

Here is documentation on setting the different idle timers on ACE.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/tcpipnrm.html#wp1072427

Actions

This Discussion