“show connection” is a great troubelshooting command which displays the ACTIVE ASA connection table. All traffic that passes through the ASA will create a connection.
Quick Reference:
UIO = Outbound Connection
UIOB = Inbound Connection
Flags:
A – awaiting inside ACK to SYN,
a – awaiting outside ACK to SYN,
B – initial SYN from outside,
b – TCP state-bypass or nailed,
C – CTIQBE media,
D – DNS, d – dump,
E – outside back connection,
F – outside FIN,
f – inside FIN,
G – group,
g – MGCP,
H – H.323,
h – H.225.0,
I – inbound data,
i – incomplete,
J – GTP,
j – GTP data,
K – GTP t3-response
k – Skinny media,
M – SMTP data,
m – SIP media,
n – GUP
O – outbound data,
P – inside back connection,
p – Phone-proxy TFTP connection,
q – SQL*Net data,
R – outside acknowledged FIN,
R – UDP SUNRPC,
r – inside acknowledged FIN,
S – awaiting inside SYN,
s – awaiting outside SYN,
T – SIP,
t – SIP transient,
U – up,
V – VPN orphan,
W – WAAS,
X – inspected by service module
Examples:
INBOUND CONNECTION:
TCP Outside:172.30.200.24/50323 inside:172.16.200.1/6061,
flags UIOB, idle 27s, uptime 1D5h, timeout 1h0m, bytes 20155
U = the connection UP
I = there’s INBOUND data
O = there’s OUTBOUND data
B = initiated from the outside
OUTBOUND CONNECTION:
TCP outside:10.255.6.22/1433 inside:172.16.200.10/51033,
flags UIO, idle 24s, uptime 5m25s, timeout 1h0m, bytes 1982
U = the connection UP
I = there’s INBOUND data
O = there’s OUTBOUND data
INCOMPLETE:
TCP Outside:172.30.200.24/57630 inside:10.65.10.100/0,
flags Ti, idle 5m49s, uptime 5m49s, timeout -, bytes 0
T = this is SIP traffic
i = incomplete