Solved: Difference between TCP and ICMP Ping

mahesh18 · ‎12-27-2012

hi everyone,

On ASA newer IOS version we can ping using

Ping tcp IP port number.

Need to know whats the difference between TCP and ICMP ping?

TCP is layer 4 protocol

Thanks

MAhesh

Jouni Forss · ‎12-27-2012

Hi,

For one you can use the "ping tcp" command to test that some service is reachable from the ASA itself.

We also use this command sometimes to test a L2L VPN connection so that we can confirm a remote host behind a L2L VPN connection is answering on the TCP port needed.

To my understanding the "ping tcp" command just sends SYNs to the remote hosts and the remote host replies to them if reachable

Example from my ASA (changed the name/IP address from the original output)

ASA# ping tcp www.testsite.com 80

Type escape sequence to abort.

No source specified. Pinging from identity interface.

Sending 5 TCP SYN requests to x.x.x.x port 80

from y.y.y.y, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 103/117/140 ms

- Jouni

View solution in original post

Jouni Forss · ‎12-27-2012

Naturally you can do the same test from the actual computers either using browser, some application or just telnet to certain TCP port.

I haven't used the "ping tcp" that much. Its been usefull in some L2L VPN cases and also confirming that some service is up on some LAN/REMOTE host that I don't have direct access to.

The above test output I took was just a simple test to see if one websites service was replying to TCP SYN sourced from the ASAs outside public IP address. There are more options/parameters to this command to test different things also. You can set the interfaces and source IP addresses also etc.

- Jouni

View solution in original post

Jouni Forss · ‎12-27-2012

Hi,

For one you can use the "ping tcp" command to test that some service is reachable from the ASA itself.

We also use this command sometimes to test a L2L VPN connection so that we can confirm a remote host behind a L2L VPN connection is answering on the TCP port needed.

To my understanding the "ping tcp" command just sends SYNs to the remote hosts and the remote host replies to them if reachable

Example from my ASA (changed the name/IP address from the original output)

ASA# ping tcp www.testsite.com 80

Type escape sequence to abort.

No source specified. Pinging from identity interface.

Sending 5 TCP SYN requests to x.x.x.x port 80

from y.y.y.y, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 103/117/140 ms

- Jouni

mahesh18 · ‎12-27-2012

Hi jouni,

Thanks for reply.

So other thing to test website connectivity is we can do telnet website ip and port number say 80 from user PC to confirm

if ASA is allowing access to particular website or not right?

MAhesh

Jouni Forss · ‎12-27-2012

Naturally you can do the same test from the actual computers either using browser, some application or just telnet to certain TCP port.

I haven't used the "ping tcp" that much. Its been usefull in some L2L VPN cases and also confirming that some service is up on some LAN/REMOTE host that I don't have direct access to.

The above test output I took was just a simple test to see if one websites service was replying to TCP SYN sourced from the ASAs outside public IP address. There are more options/parameters to this command to test different things also. You can set the interfaces and source IP addresses also etc.

- Jouni

mahesh18 · ‎12-28-2012

Hi Jouni,

Many thanks for all the answers.

Regards

Mahesh