topic it’s a UDP packet and in Network Security

sh conn flag -

mahesh18 — Tue, 12 Mar 2019 04:12:46 GMT

Hi everyone,

i ran the command

ASA1# sh conn address 10.0.0.2
18 in use, 567 most used
UDP outside 128.100.56.135:123 inside 10.0.0.2:123, idle 0:01:01, bytes 21312, flags -

ASA1# sh conn address 10.0.0.2
22 in use, 567 most used
UDP outside 128.100.56.135:123 inside 10.0.0.2:123, idle 0:00:44, bytes 21360, flags -

ASA1# sh conn address 10.0.0.2
23 in use, 567 most used
UDP outside 128.100.56.135:123 inside 10.0.0.2:123, idle 0:00:53, bytes 21408, flags -

Need to understand what does flag - mean here?

is this show connection is established?

Regards

MAhesh

it’s a UDP packet and

ajay chauhan — Sun, 18 May 2014 17:06:30 GMT

it’s a UDP packet and therefore is stateless & no flags but if your traffic is tcp you can check based on flags.

Hi Ajay, So UDP has no flag

mahesh18 — Sun, 18 May 2014 17:19:12 GMT

Hi Ajay,

So UDP has no flag associated with it.

But i ran the command again still it shows

ASA1# sh conn address 10.0.0.2
50 in use, 567 most used
UDP outside 128.100.56.135:123 inside 10.0.0.2:123, idle 0:00:54, bytes 24192, flags -

this command is there and my switch connected to ASA has no NTP sync yet.

does it mean that as long as switch is trying to reach NTP server via ASA this command will show up

under sh conn ?

Regards

Mahesh

Mahesh,Your inside switch (10

Marvin Rhoads — Mon, 19 May 2014 00:15:52 GMT

Mahesh,

Your inside switch (10.0.0.2) appears to be configured to get ntp from a source at 128.100.56.135 (somewhere beyond your outside interface).

As Ajay noted, a connectionless (sometimes referred to as stateless) protocol like UDP will not have the SYN, ACK, SYN-ACK, RST etc. states that would cause flags to be set in the ASA's connection table. It does, however, register as a flow through the ASA so the return traffic can be allowed in without having to be permitted by an access-list. Those flows are tracked in the connection table - a bit confusing since they're connectionless.

The count of those flows will increment as UDP packets (ntp queries in this case) flow outbound through the ASA. By default, those connection entries last 2 minutes before timing out and being removed from the connection table. (That default can be overriden though.)

Thanks Marvin for explaining

mahesh18 — Mon, 19 May 2014 00:47:33 GMT

Thanks Marvin for explaining in more detail.

Regards

MAhesh