Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3080
Views
15
Helpful
4
Replies

ASA show connection all question

Go to solution
i.leridant
Level 1
Level 1

‎04-01-2020 08:19 AM

Hello everyone,

 

I was wondering one thing : in an ASA I enter this command => show conn all

I have a lot of connections, more than 200.

Some are idle since 1s and others are idle since 300 hours.

My question is : this command shows the active connections only (so I have one user connected since more than 300 hours) or does it show connections since a certain amout of time, if so since how long ?

 

Best regards,

Irwin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pulkit Saxena
Cisco Employee
Cisco Employee

‎04-01-2020 11:54 PM

Hi Irwin,

 

Here is a link which explains about "show conn" :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s4.html#pgfId-1437635

Now since you ran, "show conn all" -- Displays connections that are to the device or from the device, in addition to through-traffic connections.

 

So basically the default "show conn" only shows through-the-box connections and with "show conn all", you will be seeing the management connections as well.

 

Now as per your statement, ideally you should not be seeing an idle connection for 300 hours, as per the default configuration, unless you have made some change via the MPF, you can check the default timeout settings, via the command, "show run timeout".

 

To your question, yes this command will show all active and idle connections which are not yet torn down.

 

Hope this was helpful.

 

Regards,

Pulkit

View solution in original post

4 Replies 4

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎04-01-2020 09:47 AM

Hi,

 

   One difference that i'm aware of is that with "show conn all" you also see to the box sessions, like IKE/ESP tunnels terminated on the ASA, SSH/SNMP management sessions on the ASA, IGP/BGP adjacencies, ICMP.

 

Regards,

Cristian Matei.

Go to solution
Marius Gunnerud
VIP
VIP

‎04-01-2020 12:06 PM

By default connections through the ASA have an idle timeout of 1 hour after which the connection is torn down. But if there is constant traffic going from a program or app on the user's PC the connection will never be torn down unless the traffic stops or you as the administrator of the firewall clear the connection and / or block the traffic.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Pulkit Saxena
Cisco Employee
Cisco Employee

‎04-01-2020 11:54 PM

Hi Irwin,

 

Here is a link which explains about "show conn" :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s4.html#pgfId-1437635

Now since you ran, "show conn all" -- Displays connections that are to the device or from the device, in addition to through-traffic connections.

 

So basically the default "show conn" only shows through-the-box connections and with "show conn all", you will be seeing the management connections as well.

 

Now as per your statement, ideally you should not be seeing an idle connection for 300 hours, as per the default configuration, unless you have made some change via the MPF, you can check the default timeout settings, via the command, "show run timeout".

 

To your question, yes this command will show all active and idle connections which are not yet torn down.

 

Hope this was helpful.

 

Regards,

Pulkit

Go to solution
i.leridant
Level 1
Level 1
In response to Pulkit Saxena

‎04-02-2020 04:33 AM

Thank you for your answer !

0 Helpful
Customers Also Viewed These Support Documents