已解决: ASA5525x/k9的conn问题

stoneyeye · ‎04-18-2017

TCP outside 45.121.52.205:44457 inside 10.20.30.85:8080, idle 0:00:07, bytes 786, flags UIOB
TCP outside 45.121.52.205:44456 inside 10.20.30.85:8080, idle 0:00:09, bytes 0, flags SaAB
TCP outside 45.121.52.205:44455 inside 10.20.30.85:8080, idle 0:00:26, bytes 0, flags SaAB
TCP outside 45.121.52.205:44451 inside 10.20.30.85:8080, idle 0:00:15, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44450 inside 10.20.30.85:8080, idle 0:00:43, bytes 654, flags UfrIOB
TCP outside 45.121.52.205:44433 inside 10.20.30.85:8080, idle 0:00:56, bytes 786, flags UfFrIOB
TCP outside 45.121.52.205:44424 inside 10.20.30.85:8080, idle 0:01:54, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44420 inside 10.20.30.85:8080, idle 0:03:21, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44418 inside 10.20.30.85:8080, idle 0:04:09, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44415 inside 10.20.30.85:8080, idle 0:04:20, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44414 inside 10.20.30.85:8080, idle 0:04:48, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44397 inside 10.20.30.85:8080, idle 0:06:13, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44375 inside 10.20.30.85:8080, idle 0:06:50, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44374 inside 10.20.30.85:8080, idle 0:06:26, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44373 inside 10.20.30.85:8080, idle 0:06:42, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44372 inside 10.20.30.85:8080, idle 0:06:56, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44371 inside 10.20.30.85:8080, idle 0:07:02, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44368 inside 10.20.30.85:8080, idle 0:06:38, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44367 inside 10.20.30.85:8080, idle 0:06:56, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44365 inside 10.20.30.85:8080, idle 0:07:01, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44364 inside 10.20.30.85:8080, idle 0:06:13, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44362 inside 10.20.30.85:8080, idle 0:07:02, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44361 inside 10.20.30.85:8080, idle 0:06:38, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44358 inside 10.20.30.85:8080, idle 0:07:02, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44357 inside 10.20.30.85:8080, idle 0:07:07, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44356 inside 10.20.30.85:8080, idle 0:06:57, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44353 inside 10.20.30.85:8080, idle 0:07:02, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44352 inside 10.20.30.85:8080, idle 0:07:09, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44351 inside 10.20.30.85:8080, idle 0:06:14, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44350 inside 10.20.30.85:8080, idle 0:06:57, bytes 654, flags UfFrIOB
TCP outside 45.121.52.205:44348 inside 10.20.30.85:8080, idle 0:07:39, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44345 inside 10.20.30.85:8080, idle 0:08:52, bytes 582, flags UfrIOB
TCP outside 45.121.52.205:44344 inside 10.20.30.85:8080, idle 0:08:30, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44343 inside 10.20.30.85:8080, idle 0:07:46, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44342 inside 10.20.30.85:8080, idle 0:08:15, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44339 inside 10.20.30.85:8080, idle 0:08:09, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44338 inside 10.20.30.85:8080, idle 0:08:35, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44336 inside 10.20.30.85:8080, idle 0:08:36, bytes 658, flags UfFrIOB
TCP outside 45.121.52.205:44335 inside 10.20.30.85:8080, idle 0:08:09, bytes 658, flags UfFrIOB
TCP outside 121.42.161.16:80 inside 10.20.30.85:36583, idle 0:00:41, bytes 850, flags UxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36582, idle 0:00:41, bytes 644, flags UxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36577, idle 0:00:24, bytes 796, flags UFRxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36576, idle 0:00:25, bytes 644, flags UFRxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36569, idle 0:04:14, bytes 868, flags UFRxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36568, idle 0:04:16, bytes 644, flags UFRxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36566, idle 0:05:30, bytes 841, flags UFRxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36565, idle 0:05:31, bytes 644, flags UFRxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36563, idle 0:06:46, bytes 877, flags UFRxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36562, idle 0:06:47, bytes 644, flags UFRxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36557, idle 0:07:26, bytes 896, flags UFRxIO
TCP outside 121.42.161.16:80 inside 10.20.30.85:36556, idle 0:07:26, bytes 644, flags UFRxIO
TCP outside 114.113.101.218:80 inside 10.20.30.85:64176, idle 0:00:12, bytes 615, flags UxIO
TCP outside 114.113.101.218:80 inside 10.20.30.85:64170, idle 0:00:46, bytes 619, flags UxIO
TCP outside 114.113.101.218:80 inside 10.20.30.85:64164, idle 0:00:35, bytes 619, flags UFRxIO
TCP outside 114.113.101.218:80 inside 10.20.30.85:64163, idle 0:00:45, bytes 619, flags UFRxIO
TCP outside 114.113.101.218:80 inside 10.20.30.85:64155, idle 0:04:50, bytes 619, flags UFRxIO
TCP outside 114.113.101.218:80 inside 10.20.30.85:64151, idle 0:05:52, bytes 632, flags UFRxIO
TCP outside 114.113.101.218:80 inside 10.20.30.85:64144, idle 0:07:12, bytes 615, flags UFRxIO
问题一：这些conn连接数我如何能实时记录下来，以便于我查询，最好能记录到我的日志里？
问题二：我标色的字段是什么含义，求大神解释一下。 flags UfFrIOB flags UFRxIO flags UxIO 都代表什么意思？

evan.liang · ‎04-18-2017

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html
官方文档有详细的介绍

在原帖中查看解决方案

evan.liang · ‎04-18-2017

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html
官方文档有详细的介绍

one-time · ‎04-18-2017

感谢您的提问！稍后会有小伙伴为您解答的！

huoran1234 · ‎04-18-2017

一、其实information级别的log里就能看出来
二、show conn det里面有详细的解释，每个字母代表的意思不同
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, e - semi-distributed,
F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
w - secondary domain backup,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow

ni-weijian · ‎04-18-2017

弄个日志服务器器把 7级别的日志都放进去，不过会看的很花。