firewallPrivileged EXEC

show conn count

Displays the total number of connections currently tracked by the ASA firewall.

Overview

The 'show conn count' command is a fundamental tool for monitoring the connection load on a Cisco ASA firewall. It provides a quick snapshot of how many connections are currently active and the historical peak since the last reboot. This command is essential for capacity planning, performance troubleshooting, and detecting anomalies such as denial-of-service attacks or misbehaving applications.

In the context of the ASA firewall, connections are stateful entries in the firewall's connection table. Each connection represents a flow of traffic that the firewall is tracking, including TCP sessions, UDP flows, ICMP exchanges, and even certain protocol-specific states. The ASA uses these entries to apply security policies, perform NAT, and ensure that only legitimate traffic is allowed. The total number of connections is limited by the platform's hardware and licensing; exceeding this limit can cause packet drops and degraded performance.

When to use this command? It is often the first step in troubleshooting performance issues. If users report slow connectivity or timeouts, checking the connection count can quickly indicate whether the firewall is overloaded. It is also useful during normal operations to establish a baseline of typical connection counts, which helps in identifying abnormal spikes. In a troubleshooting workflow, after clearing connections or modifying ACLs, you can use this command to verify that the connection count returns to expected levels.

Platform-specific behavior: On Cisco ASA, the 'show conn count' command is available in Privileged EXEC mode. The output is immediate and does not require additional parameters. The 'most used' counter is reset upon system reload or when the 'clear conn count' command is issued. Note that the connection count includes all connection types, but some features like VPN tunnels may have separate connection limits. Also, the ASA may have a maximum connection limit per context in multiple-context mode.

Syntax·Privileged EXEC
show conn count

When to Use This Command

  • Quickly check the current connection load on the firewall to assess capacity utilization.
  • Monitor for abnormal spikes in connections that could indicate a DoS attack or misconfiguration.
  • Verify that connection counts return to normal after clearing connections or applying new ACLs.
  • Use in scripts or monitoring tools to track connection trends over time.

Parameters

ParameterSyntaxDescription
No parametersshow conn countThe command takes no parameters. It simply displays the current and peak connection counts.

Command Examples

Basic connection count display

show conn count
2324 in use, 12480 most used

The output shows that currently 2324 connections are active, and the peak number of connections since the last reboot or counter reset is 12480.

Connection count with high utilization

show conn count
98765 in use, 100000 most used

This indicates very high connection utilization (98.7% of peak). If the 'most used' value is near the system limit, it may indicate the firewall is near its capacity.

Understanding the Output

The 'show conn count' command returns a single line with two numbers: 'in use' and 'most used'. The 'in use' value is the current number of active connections (TCP, UDP, ICMP, etc.) being tracked by the ASA. The 'most used' value is the highest number of simultaneous connections recorded since the last system boot or counter reset. A healthy firewall should have 'in use' well below the platform's maximum connection limit (e.g., 100,000 for ASA 5506-X, 2,000,000 for ASA 5585-X). If 'in use' approaches 'most used' or the platform limit, performance may degrade, and you should investigate the cause. A sudden spike in 'in use' could indicate a DoS attack, a misconfigured application, or a routing loop. The 'most used' value helps in capacity planning; if it consistently nears the limit, consider upgrading hardware or optimizing connection handling.

Configuration Scenarios

Monitoring connection load during peak hours

An enterprise ASA 5516-X is experiencing intermittent connectivity issues during business hours. The administrator wants to check if the connection count is approaching the platform limit.

Topology

Internet --- ASA5516 --- Inside Network

Steps

  1. 1.Access the ASA via SSH or console.
  2. 2.Enter Privileged EXEC mode (enable).
  3. 3.Run 'show conn count' and note the 'in use' and 'most used' values.
  4. 4.Compare with the platform limit (e.g., 100,000 for ASA 5516-X).
Configuration
! No configuration required; this is a show command.

Verify: If 'in use' is consistently above 80% of the platform limit, consider upgrading the firewall or optimizing connection usage.

Watch out: The 'most used' value may not reflect the current peak if the firewall has been running for a long time; it is a historical high since last reboot.

Verifying connection count after clearing connections

After applying a new ACL that blocks certain traffic, the administrator wants to ensure that existing connections are cleared and the count drops.

Topology

ASA --- Inside Network

Steps

  1. 1.Apply the new ACL.
  2. 2.Run 'clear conn' to remove all existing connections.
  3. 3.Run 'show conn count' to verify the count drops to near zero.
  4. 4.Monitor for a gradual increase as new connections are established.
Configuration
! Example ACL applied
access-list INSIDE extended deny ip any any
access-group INSIDE in interface inside

Verify: After 'clear conn', the 'in use' count should drop to a low number (e.g., less than 10) representing system connections.

Watch out: Clearing all connections will disrupt all active sessions; use with caution.

Troubleshooting with This Command

The 'show conn count' command is invaluable for troubleshooting performance issues on the ASA. When users report slow network performance or timeouts, start by checking the connection count. A high 'in use' value relative to the platform's maximum connection limit (e.g., 100,000 for ASA 5516-X) indicates the firewall is under heavy load. If the count is near the limit, the ASA may start dropping new connection attempts, leading to connectivity issues.

Next, compare 'in use' with 'most used'. If 'most used' is significantly higher than 'in use', it suggests that the firewall has experienced a peak load in the past, possibly due to a transient event like a scan or a flash crowd. If 'in use' is consistently high and close to 'most used', the firewall is operating near its capacity, and you should investigate the sources of connections. Use 'show conn' to list connections and identify top talkers by protocol or destination.

If the connection count is normal but performance is still poor, consider other factors like CPU usage, memory, or interface errors. The 'show conn count' command is just one piece of the puzzle. Also, note that the ASA may have separate connection limits for different features (e.g., VPN, GTP inspection). Use 'show resource usage' to see overall resource utilization.

In case of a suspected DoS attack, a sudden spike in 'in use' can be a key indicator. You can then use 'show conn' with filters to identify the source IP addresses generating the most connections. The 'show conn count' command can also be used to verify the effectiveness of mitigation measures, such as rate-limiting or ACL changes, by observing the count drop over time.

CCNA Exam Tips

1.

Remember that 'show conn count' is a quick health check; a high 'in use' relative to the platform limit can indicate resource exhaustion.

2.

In CCNP Security exams, know that the 'most used' counter resets on reload; it is not persistent across reboots.

3.

Be aware that connection limits vary by ASA model and license; for example, the ASA 5506-X supports up to 10,000 connections, while the ASA 5585-X supports up to 10 million.

Common Mistakes

Confusing 'show conn count' with 'show conn' (which lists individual connections) – the count command is much faster for a quick check.

Assuming the 'most used' value is a hard limit; it is simply a peak counter and does not trigger any action.

Forgetting that the count includes all connection types (TCP, UDP, ICMP, etc.) and not just TCP.

Platform Notes

On Cisco ASA, the 'show conn count' command is specific to the ASA platform and does not have a direct equivalent on Cisco IOS routers. On IOS, the closest command is 'show ip nat translations' for NAT connections or 'show tcp brief' for TCP connections, but these do not provide a single aggregate count. On ASA, the command is lightweight and can be run frequently without impacting performance.

In multiple-context mode, the command shows the connection count for the current context. To see counts for all contexts, use 'show conn count' in the system execution space or use 'show context' with connection statistics.

Version differences: In older ASA versions (pre-8.4), the command output was similar. In newer versions (9.x and later), the output remains the same. The 'most used' counter can be reset with 'clear conn count' in privileged mode. Note that the connection limit is enforced by the ASA's license; for example, the base license on a 5506-X allows 10,000 connections, while a Security Plus license increases it to 100,000. Always verify the platform's maximum connection limit in the documentation.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions