firewallPrivileged EXEC

show conn

Displays the current state of all active connections through the ASA firewall, including protocol, source/destination IPs, ports, and connection flags.

Overview

The 'show conn' command is a fundamental troubleshooting tool on Cisco ASA firewalls, providing a real-time snapshot of all active connections traversing the device. Each connection entry represents a flow of traffic that has been permitted by the security policy and is being tracked by the ASA's stateful inspection engine. The command displays key attributes such as protocol, source and destination IP addresses (both real and mapped), ports, idle time, byte counts, and connection flags. Understanding this output is essential for verifying connectivity, diagnosing policy misconfigurations, detecting network attacks, and monitoring resource utilization.

At its core, the ASA maintains a connection table (also known as the conn table) that records every session passing through the firewall. This table is central to stateful inspection: the ASA tracks the state of each connection and only allows packets that belong to an established session. The 'show conn' command exposes this table in a human-readable format. The first line shows the current number of connections in use and the peak count since the last reboot or clear. This is a quick health indicator; a sudden spike may indicate a DoS attack or a misbehaving application.

Each connection line includes the protocol (TCP, UDP, ICMP, etc.), the 'real' IP:port (typically the outside/global address after NAT) and the 'mapped' IP:port (the inside/private address before NAT). The 'idle' time is the duration since the last packet matched the connection. A high idle time (e.g., hours) for a TCP connection may indicate a stale entry that should have timed out. The 'bytes' field shows total data transferred. The 'flags' field is a comma-separated list of single-character codes that describe the connection state. Common flags include 'U' (up), 'I' (inbound), 'O' (outbound), 'B' (backup path), 'P' (PAT applied), 'A' (awaiting SYN-ACK), 'F' (init FIN), and 'T' (TCP). For example, a normal outbound TCP connection from an inside host to an external web server would show flags 'UIO' (up, inbound, outbound).

In troubleshooting workflows, 'show conn' is often the first command after verifying basic connectivity. For instance, if a user cannot reach a website, you can check if a connection exists. If it does, examine the flags and state. If the connection is in 'SYN_SENT' state (flag 'A'), the ASA sent a SYN but never received a SYN-ACK, indicating a routing or server issue. If the connection shows 'U' but the user still cannot access, check NAT translations with 'show xlate'. The command can be filtered by protocol or IP address using the '| include' option, e.g., 'show conn | include 10.0.1.10'. The 'detail' option provides additional per-connection information such as client/server roles, state (ESTAB, SYN_SENT, etc.), TTL, timeout, and bucket. This is invaluable for deep dives into connection lifecycle.

Platform-specific behavior: On ASA, the connection table is stored in memory and is limited by the platform's connection limit (e.g., 50,000 for ASA 5505, up to millions for high-end models). The 'show conn count' variant gives a quick total without listing entries. The command is available in privileged EXEC mode and requires no special license. It is similar to 'show firewall connections' on other vendors but with ASA-specific flags and formatting.

Syntax·Privileged EXEC
show conn [detail] [count] [long] [protocol {tcp | udp | icmp | ...}] [state state_name] [fragment] [all] [| {begin | include | exclude | grep} regex]

When to Use This Command

  • Verify that a specific internal host has an active outbound connection to an external server.
  • Check for asymmetric routing issues by examining connection flags (e.g., 'B' for backup path).
  • Monitor the number of concurrent connections to detect potential DoS attacks or resource exhaustion.
  • Troubleshoot firewall policy issues by confirming whether traffic is being allowed or denied based on connection state.

Parameters

ParameterSyntaxDescription
detaildetailDisplays additional information for each connection, including client/server IPs, state, TTL, timeout, and bucket. Useful for in-depth troubleshooting.
countcountShows only the total number of connections currently in use, without listing individual connections. Useful for quick resource checks.
protocolprotocol {tcp | udp | icmp | ...}Filters the output to show only connections of a specific protocol (e.g., tcp, udp, icmp). Helps isolate traffic types.
statestate state_nameFilters connections by state (e.g., ESTAB, SYN_SENT, TIME_WAIT). Useful for finding connections stuck in a particular state.
longlongDisplays the connection table in a longer format, wrapping lines that exceed terminal width. Helps readability for wide entries.
fragmentfragmentShows only fragmented connections. Useful for troubleshooting fragmentation issues.
allallDisplays all connections, including those that are normally hidden (e.g., management connections).

Command Examples

Basic connection display

show conn
1 in use, 3 most used
TCP outside 203.0.113.5:80 inside 10.0.1.10:54321, idle 0:00:05, bytes 1024, flags UIO
UDP outside 198.51.100.2:53 inside 10.0.1.20:12345, idle 0:00:30, bytes 512, flags -

First line shows current and peak connection count. Each subsequent line shows a connection: protocol, real (outside) IP:port, mapped (inside) IP:port, idle time, byte count, and flags (U=up, I=inbound, O=outbound).

Detailed connection output

show conn detail
1 in use, 3 most used
Flags: A - awaiting SYN ACK, B - backup, C - CTIQBE media, D - DNS, E - outside back, F - init FIN, G - group, H - H.323, I - inbound, J - GTP, K - GTP t3-response, L - LISP, M - SMTP data, N - inspected, O - outbound, P - PAT, Q - QUAKE, R - RPC, S - SIP, T - TCP, U - up, V - VPN, W - WAAS, X - inspected by service module

TCP outside 203.0.113.5:80 inside 10.0.1.10:54321, idle 0:00:05, bytes 1024, flags UIO
  Client: 10.0.1.10:54321, Server: 203.0.113.5:80
  State: ESTAB, TTL 00:10:00, Timeout 01:00:00, Bucket 0, Active

Detail mode adds a legend for flags and per-connection details: client/server IPs, state (ESTAB for established), TTL, timeout, bucket, and active flag.

Understanding the Output

The 'show conn' output begins with a summary line showing the number of connections currently in use and the peak count since last reset. Each subsequent line represents a single connection. The first field is the protocol (TCP, UDP, ICMP, etc.). Next is the 'real' (outside) IP address and port, followed by the 'mapped' (inside) IP address and port. The 'idle' field shows how long the connection has been idle (no traffic). 'bytes' indicates the total bytes transferred. The 'flags' field is critical for troubleshooting: 'U' means up, 'I' inbound, 'O' outbound, 'B' backup path, 'P' PAT applied, etc. Missing expected flags (e.g., no 'U' for an active connection) indicates a problem. In detail mode, additional lines show client/server roles, state (e.g., ESTAB, SYN_SENT, TIME_WAIT), TTL, timeout, and bucket. Healthy connections show 'ESTAB' state and appropriate flags. Problem indicators include connections stuck in 'SYN_SENT' (no response), 'TIME_WAIT' (not closing), or flags like 'A' (awaiting SYN-ACK) for extended periods. High idle times may indicate stale connections.

Configuration Scenarios

Verifying Outbound Web Access

A user on inside network (10.0.1.10) cannot access a public web server (203.0.113.5).

Topology

Internet --- ASA (outside: 203.0.113.1) --- Switch --- PC (10.0.1.10)

Steps

  1. 1.From ASA CLI, enter privileged EXEC mode.
  2. 2.Run 'show conn | include 10.0.1.10' to see connections from that host.
  3. 3.If no connection appears, run 'show asp drop' to check for drops.
  4. 4.If connection exists but flags show 'A' (awaiting SYN-ACK), check routing to the server.
Configuration
! No specific config required; this is a verification step.

Verify: Expected output shows a TCP connection with flags 'UIO' and state ESTAB. If not, troubleshoot policy or routing.

Watch out: NAT may cause the source IP to appear as the outside interface IP; use 'show xlate' to correlate.

Monitoring Connection Count for Capacity Planning

Network administrator wants to check if the ASA is approaching its connection limit.

Topology

N/A

Steps

  1. 1.Run 'show conn count' to get the current number of connections.
  2. 2.Compare with the platform's maximum connection limit (e.g., 50,000 for ASA 5505).
  3. 3.If approaching limit, consider upgrading hardware or optimizing application behavior.
Configuration
! No config needed.

Verify: Output: '45 connections in use' (example).

Watch out: The count includes all protocols; some applications (e.g., P2P) may create many short-lived connections.

Troubleshooting with This Command

The 'show conn' command is indispensable for troubleshooting connectivity issues on Cisco ASA firewalls. When a user reports inability to reach a destination, start by checking if a connection exists for that flow. Use 'show conn | include <ip>' to filter. If no connection appears, the traffic is likely being dropped by an ACL, NAT misconfiguration, or routing issue. Next, check 'show asp drop' to see why packets are being dropped. If a connection exists but is not in an established state (e.g., SYN_SENT or SYN_RECEIVED), the three-way handshake is incomplete. This could be due to asymmetric routing (where return traffic takes a different path), a firewall on the server side blocking the SYN-ACK, or a routing issue. Look for the 'B' flag in the connection output, which indicates the ASA is using a backup path due to asymmetric routing. If the connection shows 'U' but the user still cannot communicate, check NAT translations with 'show xlate' to ensure correct IP mapping. Also examine the 'idle' time; a very high idle time (e.g., >1 hour) for a TCP connection may indicate a stale entry that should have been timed out. The ASA has default timeouts (e.g., 1 hour for TCP, 2 minutes for UDP), but these can be adjusted. If you see many connections in TIME_WAIT state, it may indicate applications not properly closing connections, which can exhaust the connection table. Use 'show conn state TIME_WAIT' to count them. For performance issues, use 'show conn count' to monitor the total number of connections. A sudden spike could indicate a DoS attack. Combine with 'show resource usage' to see CPU/memory impact. Finally, remember that the ASA's connection table is per-context in multiple-context mode; use 'changeto context <name>' before running the command.

CCNA Exam Tips

1.

Memorize common connection flags: U (up), I (inbound), O (outbound), B (backup), P (PAT).

2.

Know that 'show conn count' gives a quick total without listing all connections.

3.

Understand that 'show conn detail' is useful for troubleshooting asymmetric routing (look for 'B' flag).

Common Mistakes

Confusing 'real' and 'mapped' IPs: real is the outside IP after NAT, mapped is the inside IP before NAT.

Assuming all connections should have 'U' flag; connections in setup or teardown may not.

Overlooking the 'idle' time: a very high idle time may indicate a stale connection consuming resources.

Platform Notes

On Cisco ASA, the 'show conn' command is similar to 'show firewall connections' on other vendors but uses ASA-specific flags and formatting. Unlike Cisco IOS routers, which use 'show ip nat translations' for NAT and 'show tcp brief' for TCP connections, the ASA integrates both into a single connection table. The ASA's connection table is stateful and includes both NAT and firewall state. In ASA version 9.x and later, the output format is consistent. For ASDM, the equivalent is Monitoring > Connections. On Cisco FTD (Firepower Threat Defense), the command is 'show conn' as well, but the output may include additional fields like 'event' and 'ingress_if'. On Cisco IOS XE with Zone-Based Firewall, use 'show policy-map type inspect zone-pair sessions'. The 'show conn' command on ASA also supports the '|' pipe for filtering, which is not available on all platforms. In multiple-context mode, each context has its own connection table; you must be in the correct context to see its connections. The command can be used with 'detail' to see per-connection state, which is more detailed than the basic output. On older ASA versions (pre-8.0), the flags were slightly different; for example, 'P' for PAT was introduced later. Always check the version documentation for exact flag meanings.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions