Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15430
Views
0
Helpful
1
Replies

ASA SaAB Flags - Incomplete TCP 3-way handshake

s.nasheet
Level 1
Level 1

‎05-28-2015 05:22 PM - edited ‎03-11-2019 11:01 PM

Hi,

 

I am having a problems to SSH  the Server on the DMZ  on Cisco ASA from the Inside interface. 

When I try to connect from Inside to the DMZ ( ssh to the server) I see the  SaAB flag's on the ASA connection table.

 

Does it mean that Inside interface is initiating the connection by sending the SYN to the server , but server is not replying with the SYN-ACK. 

Is server getting the SNY from the PC to establish SSH connection  or server is not even getting the initial SYN from the inside host  and initial  SYN get lost  in transit due to any other problems such as access rules, routing issues etc.

 

What does SaAB mean in the connection table on ASA.
 

Your help is appreciated.

 

Regards

Salman
 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎05-28-2015 11:41 PM

You can see the flags description with 

show conn detail

"SaA" means that the ASA has established a connection. All access-control should be fine. It doesn't say that the SYN reached the server, but that is very likely if there is no other filtering device on the way to the server.

"B" stands for outside connection. Do you have a lower security-level on inside than on the DMZ? Or do you see a session that was initiated from the DMZ-server to inside in return? This is quite unusual for your description.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card