Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1788
Views
8
Helpful
6
Replies

Flags

prashantrecon
Level 1
Level 1

‎01-22-2012 09:41 PM - edited ‎03-11-2019 03:17 PM

Hi

Can anyone provide me the details regarding flags when excuted show local-host command.

I am geeting flags as UfFRIO and some times UB.

Does it indicate malicious traffic.

Labels:
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-22-2012 09:52 PM

Hello Prashant,

Lets start with the easy one UB: witch means U: Up B: Innitial syn from outside

          -This means the connection has been built and was innitiated from the outside

UfFRIO: U: Up f: fin from the inside F: Fin from the outside R:Outside ack FIN, I: Inbound O:Outbound

          -This means a connection builthas been closed successfully ( We can see the FIN packets being exchanged on                    both  directions)

This does not indicate this is malicious traffic, you will need to check the IPs involved and if the traffic they were sending or exchanging is permitted by your security policy. As you can see the connection was innitiated from the outside, so besides analizing that you are ok.

Rate all the helpful posts!!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ajay chauhan
Level 7
Level 7
In response to Julio Carvajal

‎01-22-2012 11:17 PM

I agree with Julio.

Anytype of connection which is passing has got some kind of flag. Suspcting malicious traffic something that you can also check based on number on connections based on source/destination/ports/flags.

However you can see this link might help you to understand how these flags work.

https://supportforums.cisco.com/docs/DOC-21701

Thanks

Ajay

0 Helpful

prashantrecon
Level 1
Level 1
In response to ajay chauhan

‎01-22-2012 11:30 PM

Thankyou,

But sometimes when i tired to access server from remote side.

Server is not accessible and when i excuted the command show connection notting will be displayed under falags.

What is reason ? Tunnel is up when checked.

0 Helpful

ajay chauhan
Level 7
Level 7
In response to prashantrecon

‎01-22-2012 11:39 PM

It can be attempt for connection and when you run sh conn there is nothing . To investigate this you should setup packet capture to know more in details what is happening.

Thanks

Ajay

Julio Carvajal
VIP Alumni
VIP Alumni
In response to prashantrecon

‎01-22-2012 11:41 PM

Hello Prashant,

You will need to analize the logs and check if the traffic is reaching the ASA, because if you do not see any entri on the

show conn that will means 1- ASA is dropping the connection 2-ASA is not receiving the traffic.

But on the 2 particular entries you have provided what Ajay and I have said is basically what is happening.

You can check Ajay document for a more detailed explanation on this.

Do rate helpful posts!!

Julio

Kind regards.!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal
VIP Alumni
VIP Alumni
In response to prashantrecon

‎01-22-2012 11:51 PM

Hello Prashant,

If you have any other question just let us know! We would be more than glad to help otherwise please mark the question as answered so future users having the same problems or questions can learn from here.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card