Solved: Mahesh,Your inside switch (10

mahesh18 · ‎05-18-2014

Hi everyone,

i ran the command

ASA1# sh conn address 10.0.0.2
18 in use, 567 most used
UDP outside 128.100.56.135:123 inside 10.0.0.2:123, idle 0:01:01, bytes 21312, flags -

ASA1# sh conn address 10.0.0.2
22 in use, 567 most used
UDP outside 128.100.56.135:123 inside 10.0.0.2:123, idle 0:00:44, bytes 21360, flags -

ASA1# sh conn address 10.0.0.2
23 in use, 567 most used
UDP outside 128.100.56.135:123 inside 10.0.0.2:123, idle 0:00:53, bytes 21408, flags -

Need to understand what does flag - mean here?

is this show connection is established?

Regards

MAhesh

ajay chauhan · ‎05-18-2014

it’s a UDP packet and therefore is stateless & no flags but if your traffic is tcp you can check based on flags.

View solution in original post

Marvin Rhoads · ‎05-18-2014

Mahesh,

Your inside switch (10.0.0.2) appears to be configured to get ntp from a source at 128.100.56.135 (somewhere beyond your outside interface).

As Ajay noted, a connectionless (sometimes referred to as stateless) protocol like UDP will not have the SYN, ACK, SYN-ACK, RST etc. states that would cause flags to be set in the ASA's connection table. It does, however, register as a flow through the ASA so the return traffic can be allowed in without having to be permitted by an access-list. Those flows are tracked in the connection table - a bit confusing since they're connectionless.

The count of those flows will increment as UDP packets (ntp queries in this case) flow outbound through the ASA. By default, those connection entries last 2 minutes before timing out and being removed from the connection table. (That default can be overriden though.)

View solution in original post

ajay chauhan · ‎05-18-2014

it’s a UDP packet and therefore is stateless & no flags but if your traffic is tcp you can check based on flags.

mahesh18 · ‎05-18-2014

Hi Ajay,

So UDP has no flag associated with it.

But i ran the command again still it shows

ASA1# sh conn address 10.0.0.2
50 in use, 567 most used
UDP outside 128.100.56.135:123 inside 10.0.0.2:123, idle 0:00:54, bytes 24192, flags -

this command is there and my switch connected to ASA has no NTP sync yet.

does it mean that as long as switch is trying to reach NTP server via ASA this command will show up

under sh conn ?

Regards

Mahesh

Marvin Rhoads · ‎05-18-2014

Mahesh,

Your inside switch (10.0.0.2) appears to be configured to get ntp from a source at 128.100.56.135 (somewhere beyond your outside interface).

As Ajay noted, a connectionless (sometimes referred to as stateless) protocol like UDP will not have the SYN, ACK, SYN-ACK, RST etc. states that would cause flags to be set in the ASA's connection table. It does, however, register as a flow through the ASA so the return traffic can be allowed in without having to be permitted by an access-list. Those flows are tracked in the connection table - a bit confusing since they're connectionless.

The count of those flows will increment as UDP packets (ntp queries in this case) flow outbound through the ASA. By default, those connection entries last 2 minutes before timing out and being removed from the connection table. (That default can be overriden though.)

mahesh18 · ‎05-18-2014

Thanks Marvin for explaining in more detail.

Regards

MAhesh

sh conn flag -