Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12887
Views
0
Helpful
2
Replies

ASA teardown connection Flag-

Go to solution
mahesh18
Level 6
Level 6

‎06-16-2013 02:34 PM - edited ‎03-11-2019 06:58 PM

Hi Everyone,

When NTP update was done for connection going via ASA  i check the logs

and saw

sh conn  shows

UDP outside 136.159.2.254:123 DMZ  192.168.69.1:123, idle 0:01:56, bytes 96, flags -

sh log  shows

Jun 16 2013 13:36:19: %ASA-6-302016:  Teardown UDP connection 2755 for outside:136.159.2.2/123 to DMZ:192.168.69.1/123  duration 0:02:01 bytes 96

Jun 16 2013 13:36:19: %ASA-7-609002:  Teardown local-host outside:136.159.2.2 duration  0:02:01

So need to confirm that if connection is teardown from the ASA   then sh conn will show

flags-????????????

Regards

Mahesh

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-16-2013 02:51 PM

Hi Mahesh,

What you have to notice here is that we are talking about UDP and not TCP.

UDP doesnt have any form of flags as its a stateless protocol. Unlike TCP, UDP Connections arent started with any kind of 3 way handshake or terminated with certain messages like TCP connections. Data transmitted isnt acknowledged either.

Because UDP is stateless (TCP is statefull) then there naturally isnt any flags associated with UDP as it has no different states.

So basically what you are seing on the ASA logs is a typical UDP connection being tear down since its reached the global timeout value for an UDP connection

You can use the "show run timeout" to view the different timeouts

You should see something like "udp 0:02:00" which means UDP Connections will timeout from the ASA after being idle for 2 minutes.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-16-2013 02:51 PM

Hi Mahesh,

What you have to notice here is that we are talking about UDP and not TCP.

UDP doesnt have any form of flags as its a stateless protocol. Unlike TCP, UDP Connections arent started with any kind of 3 way handshake or terminated with certain messages like TCP connections. Data transmitted isnt acknowledged either.

Because UDP is stateless (TCP is statefull) then there naturally isnt any flags associated with UDP as it has no different states.

So basically what you are seing on the ASA logs is a typical UDP connection being tear down since its reached the global timeout value for an UDP connection

You can use the "show run timeout" to view the different timeouts

You should see something like "udp 0:02:00" which means UDP Connections will timeout from the ASA after being idle for 2 minutes.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎06-16-2013 03:07 PM

Hi Jouni,

You explained very good info about UDP.Under sh conn i was overlooking very important thing that it is UDP  connection.

I checked UDP timeout is 2 mins by default.Learned something very important from you.

Best Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card