Cisco – ASA conn flags explain

ciscocisco-asafirewalltcp

I have seen following output, but what is the difference between UB vs UIOB vs UIO?

I looked at this website, and it has nice explanation, but I am having a hard time to decode it in context: https://www.tunnelsup.com/understanding-cisco-asa-connection-flags/

fw/pri/act# sh conn
21 in use, 600 most used

TCP ext_dmz  10.5.8.40:33882 int_dmz  10.5.16.39:9090, idle 0:06:17, bytes 0, flags UB
TCP ext_dmz  10.5.8.40:60713 int_dmz  10.5.16.39:9090, idle 0:00:03, bytes 561603, flags UIOB
TCP ext_dmz  10.5.8.39:5432 int_dmz  10.5.16.40:53600, idle 0:00:06, bytes 44857, flags UIO
TCP outside  10.5.255.3:57229 inside  65.194.212.101:22, idle 0:00:45, bytes 395449, flags UIOB

Best Answer

Cisco maintains many documents, and all you need to do is search. For example, ASA TCP Connection Flags (Connection Build-Up and Teardown):

ASA TCP Connection Flags

When you troubleshoot TCP connections through the Adaptive Security Appliance (ASA), the connection flags shown for each TCP connection provide a wealth of information about the state of TCP connections to the ASA. This information can be used to troubleshoot problems with the ASA, as well as problems elsewhere in the network.

Here is the output of the show conn protocol tcp command, which shows the state of all TCP connections through the ASA. These connections can also be seen with the show conn command.

ASA# show conn protocol tcp
101 in use, 5589 most used
TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA
TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO
TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saA
TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags UIO
TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.116:5223 inside 192.168.1.3:52408, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.60:5223 inside 192.168.1.3:52413, idle 0:00:23, bytes 0, flags saA
TCP outside 10.23.232.96:5223 inside 192.168.1.3:52421, idle 0:00:11, bytes 0, flags saA
TCP outside 10.23.232.190:5223 inside 192.168.1.3:52424, idle 0:00:10, bytes 0, flags saA

The next picture shows the ASA TCP Connection flags at different stages of the TCP state machine. The connection flags can be seen with the show conn command on the ASA.

enter image description here

Additionally, in order to view all of the possible connection flags issue the show connection detail command on the command-line:

ASA5515-X# show conn detail
35 in use, 199 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, b - TCP state-bypass or nailed,
       C - CTIQBE media, c - cluster centralized,
       D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, n - GUP
       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS,
       X - inspected by service module,
       x - per session, Y - director stub flow, y - backup stub flow,
       Z - Scansafe redirection, z - forwarding stub flow

To understand what the flags represent, you need to understand TCP handshaking and connections. If you understand this about TCP, then it is easy to interpret the state of the connection. For example, the UB flags for a connection means that the connection has received an inbound ACK.