Cisco ACE - "show conn" command queries

Similar Messages

• Question about ACE show Conn command (tcp duration)

  Hello,
  I was checking connections and noticed that I would see the initial connection, but after a short time the connection quits showing up in the counters and the “show conn” command. However the user is still up and working.
  This is the command I used:
  sho conn serverfarm STAGING-HTTPS detail
  The output shows all the connection info from source to destination, and in the ESTABLISHED state.
  However, after maybe 2~3 minutes, when I up arrow I don't see any connection info. The web page is still up. If I refresh the web page, I do see the connections come in.
  Can someone kindly point me to a document or provide an answer on how long should the connection be stored before they are flushed?
  Config profile:
  4 real servers
  HTTPS protocol
  Leastconn for predictor
  sticky based on src/dst IP
  Thanks,
  Raman

  Raman,
  If you would play with a sniffer capture, you could answer the question yourself.
  If the browser loads a flash object or a java applet, once it is loaded, you can still work on the page but there is no data transfer.
  with a sniffer tool you could see the browser closing the connections.
  The default TCP idle timeout on ACE is 1 hour.
  Gilles.

• Right syntax of show conn command

  Good day!
  Please, help me with correct syntax of show conn command...
  I need to show all active tcp connections from inside to outside on port 60565...
  Thank you...!

  Hi,
  Well there are a lot of options.
  Below is the basic command
  show conn
  You can use the below commands to get more detailed information
  show conn long
  show conn detail
  You can show certain port connections with the command (with some added parameters)
  show conn detail port 60565
  Some variation of the below command might also be helpfull
  show local-host
  Use the "?" (question mark) after the "show local-host" to see what options you have. Same option naturally applies to any other command on the ASA in general.
  I would also suggest checking out the ASA Command Reference when you are unclear of the purpose of a certain command. They are listed in alphabetic order
  http://www.cisco.com/en/US/docs/security/asa/command-reference/cmdref.html
  - Jouni

• ACE Sticky Connections, Show Conn Output and Show serverfarm

  Hi Community,
  I'm deploying a Cisco ACE module and I have some questions about sticky connections and about the output of the show conn command and show serverfarm command.
  I have the follwoing configuration:
  rserver host srv_1  ip address 10.4.11.14  inservicerserver host srv_2  ip address 10.4.11.18  inserviceserverfarm host farm_144  rserver srv_1 144    weight 1    inservice  rserver srv_2 144    weight 3    inservice
  sticky ip-netmask 255.255.255.255 address source st_host144
    timeout 10080
    serverfarm farm_144
  class-map match-all vip_144
    2 match virtual-address 10.4.11.208 tcp eq 143
  policy-map type loadbalance first-match lb_144
    class class-default
  policy-map multi-match policy_vip_webcache
    class vip_webcache_144
      loadbalance vip inservice
      loadbalance policy lb_144
      loadbalance vip icmp-reply active
      nat dynamic 411 vlan 411
  We can assume that service policy was applied at the interface vlan. So, let's go to the questions:
  1- If sticky is enabled the output command "show conn" should show just one entry by ip address?
  The real output is:
  DC01-ACE-01-PRIMARY-SW1/context_servidores# show conn | inc :143333046     1  in  TCP   411  10.2.158.87:3616      10.4.11.208:143       ESTAB 286390     3  in  TCP   411  10.2.158.87:3562      10.4.11.208:143       ESTAB310233     1  in  TCP   411  10.1.5.87:3424        10.4.11.208:143       ESTAB
  Look that the ip address 10.2.158.87 is shown 2 times. In same times, the same ip address is shown 4 times to the same VIP and the same port. Is it a normal behavior?
  2- According to the configuration, the srv_2 has weight 3 and srv_1 has weigth 1, but the output of show serverfarm show somethin strange:
  DC01-ACE-01-PRIMARY-SW1/context_servidores# show serverfarm farm_144 serverfarm     : farm_144, type: HOST total rservers : 2 state          : ACTIVE DWS state      : DISABLED ---------------------------------                                                ----------connections-----------       real                  weight state        current    total      failures    ---+---------------------+------+------------+----------+----------+---------   rserver: srv_1       10.4.11.14:144        1   OPERATIONAL     11         386        0   rserver: srv_2       10.4.11.18:144        3   OPERATIONAL     35         66         0
  We can see that the weight is working good, but the total of connections is higher at srv_1 than srv_2. Why?
  Somebody can help me to understand better this problem of if its a normal behavior?
  Thanks in advance!!

  Hi Gaurav,
  About question 1, I got some informations too. It's perfectly normal the client open 2 or more connections at the same time. The client's application is the responsable. We removed the ACE and put the client directly to the server and the result of the total connections opened was the same.
  About question 2, I made some "clears" on the serverfarm, the sticky database and after that, the numbers were more real.
  DC01-ACE-02-SECONDARY-SW1/context_servidores# sh serverfarm farm_webcache_144
  serverfarm     : farm_webcache_144, type: HOST
  total rservers : 2
  state          : ACTIVE
  DWS state      : DISABLED
                                                  ----------connections-----------
         real                  weight state        current    total      failures
     ---+---------------------+------+------------+----------+----------+---------
     rserver: srv_webcache_1
         10.4.11.14:144        1   OPERATIONAL     1025       15499      4436
     rserver: srv_webcache_2
         10.4.11.18:144        2   OPERATIONAL     1794       33471      471
  DC01-ACE-02-SECONDARY-SW1/context_servidores#
  Anyway thank you very much for your feedback.
  Plínio Monteiro

• TCP SYNSEEN with load balancing Cisco ACE 4710

  I have a Cisco ACE 4710 load balancing the traffic to two proxy servers, the configuration is the same since December 2012,  but yesterday it stated to show SYNSEEN in the show conn command, and the hosts cannot browse. I think that means that the three-way-handshake is not complete.
  If I bypass the ACE the hosts can browse without problems. 
  I have tested with another ACE appliance and the same configuration but the behaviour is the same.
  I need help as soon as possible,
  thanks,
  I've attached the Show conn, show conn detail and show run.

  Hi Cesar,
  Thank you for your answer,
  The issue was solved,
  We were running an A3 software version, it seems to have a Bug so it doesn't show the NAT commands in the "show run", so when we made the configuration backup we didn't noticed it.
  The ACE reloaded because an electrical failure so it losted the NAT config.
  We just upgraded to an A4 version and also added a NAT/PAT to enable the communication between the Clients and the Proxy.
  Regards,

• Show conn info via snmp

  Hi,
  Does the ASA have an SNMP OID which will provide information like the show conn command ?

  2 years later, how's LLDP support via SNMP?
  If Cisco does not support LLDP via SNMP, please remove the wrong information from
  http://tools.cisco.com/ITDIT/MIBS/MainServlet?ReleaseSel=2514&PlatformSel=231&fsSel=705
  Stop lying!

• Show conn in cisco asa

  Hi Team,
  Does the show conn count includes both tcp + udp + embryonic connections.
  Because when i do a calculation in excel from the output of show conn, i got the below output.
  It was extracted from the command "show local-host | include host|count/limit"
  (A):
     Total Sum of TCP embryonic count to host = 331
  (B):
       Total Sum of TCP flow count/limit = 102938
  (C):
       Total Sum of UDP flow count/limit = 3512505
  firewall#show conn count
  1912284 in use, 2000002 most used
  Please let me know how this is caluclated. If show conn count = A+B+C, then i am suspecting that old connection entries are not getting flushed out from the connection table in cisco asa 5580 with version 8.3.2.
  Really im in need of help...

  Hi Kimberly,
  My question was, the count of show conn & show local-host does not match... More over, as the show conn was showing that the max limit of 2 million will be reaching very soon... So, i would like to troubleshoot the output of show local-host | include host|count/limit, where in i could see that one of the webserver has lots of tcp connection (lets say 35000, then the other two servers are consuming udp connections 7lacs,5lacs & 3 lacs, as given below...
  local host: ,
      TCP flow count/limit = 35857/unlimited
      TCP embryonic count to host = 25
      UDP flow count/limit = 0/unlimited
  local host: ,
      TCP flow count/limit = 306/unlimited
      TCP embryonic count to host = 8
      UDP flow count/limit = 736807/unlimited
  local host: ,
      TCP flow count/limit = 246/unlimited
      TCP embryonic count to host = 2
      UDP flow count/limit = 582010/unlimited
  local host: ,
      TCP flow count/limit = 1/unlimited
      TCP embryonic count to host = 0
      UDP flow count/limit = 308412/unlimited
  can you pls let me know any other commands can be executed to know if any huge embryonic/virus attacks/too many broad casts...... Once i clear the local-host, the connections get reduced from a huge value to low value. i reallly do not know if these are geniue traffic or fake ? or do not know if the connection table is not flushing out old entries.. please help

• Logging user commands in Cisco ACE appliance

  Good afternoon gentlemen
  I need to configure the same as shown below in Cisco ACE Appliance. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
  #IOS commands
  no logging console
  logging buffered 307200 informational
  service timestamps log datetime localtime show-timezone
  logging trap debugging
  login on-failure log
  login on-success log
  archive
     log config
        logging enable
        logging size 500
        hidekeys
        notify syslog contenttype plaintext
  If you guys have an idea please answear
  Regards
  Christian

  Hello Arun,
  we saw before the message you report, it's probably a symptom of:
  CSCtx03563
  or
  CSCue38032
  I would suggest opening a TAC case to get this properly investigated.
  Kind Regards,
  Francesco

• Show conn on ACE

  I have some question related show conn on ace
  the log like below:
  ACEAD#1/130# show conn de | be 2633
  2633 1 in TCP 330 100.254.130.13:39560 100.254.16.11:389 ESTAB
  [ idle time : 00:33:21, byte count : 334 ]
  [ elapsed time: 00:48:35, packet count: 5 ]
  11239 1 out TCP 30 100.254.16.11:389 100.254.130.13:39560 CLOSED
  [ conn in reuse pool : FALSE]
  [ idle time : 00:33:21, byte count : 261 ]
  [ elapsed time: 00:48:35, packet count: 3 ]
  ACEAD#1/130# show conn de | be 2633
  2633 1 in TCP 330 100.254.130.13:39560 100.254.16.11:389 ESTAB
  [ idle time : 00:33:49, byte count : 334 ]
  [ elapsed time: 00:49:03, packet count: 5 ]
  11239 1 out TCP 30 100.254.16.11:389 100.254.130.13:39560 CLOSED
  [ conn in reuse pool : FALSE]
  [ idle time : 00:33:49, byte count : 261 ]
  [ elapsed time: 00:49:03, packet count: 3 ]
  100.254.130.13 is server side ip address.
  100.254.16.11 is outside client's ip address
  connection id 2633's connections status is ESTAB. but connection id 11239 is CLOSED
  Is this a pair connection between 100.254.130.13 and 100.254.16.11?
  In log, there are different connection id two flow each other.
  If two connection is pair connection, why conn'id 2633 is ESTAB, and conn'id 11239 is CLOSED?
  Or not, Is it a single flow , no related each other?
  There are no explanation about this issue in document. I have no experience about this with Cisco ACE.
  Anyone help me!.

  The output you provided in the beginning of the is two flows that make up a single connection.
  When a client initiates a connection to the ACE virtual address two flows are created on the ACE. flow-1 is client to ACE and flow-2 is ACE to server. But both of these flows are tied together and make up the connection.
  My assumption on what is happening in your output:
  1. This is the flow from the ACE to the server. The server has sent a FIN so this is why the ACE displays the connection as closed.
  11239 1 out TCP 30 x.x.x.x:389 x.x.x.x:39560 CLOSED
  2. This is the flow between the client and the ACE. The ACE has not seen a FIN ACK from the client so the connection remains open.
  2633 1 in TCP 330 x.x.x.x:39560 x.x.x.x:389 ESTAB
  3. These flows will remain in the connectino table until the idle timer expires (half-closed) or the ACE recieves a FIN ACK, RST, etc. from the client.
  Here is documentation on setting the different idle timers on ACE.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/tcpipnrm.html#wp1072427

• Conn id in 'show conn' display - ACE

  I would like to identify the latest connections in the 'show conn' table. Does the table build up in a linear fashion i.e. the latest con is the last row. Can timestamp be enabled on the 'show conn' display. Also, how is the conn id generated. I don't see it in sequence.

  ACE is actually the combination of 3 CPU.
  The Control Plane (CP) which is the management side - holds the configuration, answers snmp queries, sends probes,...
  The IXP are the 2 CPU actually switching the traffic.
  They are also called network processors or NP.
  This is the 2nd column of the 'show conn'.
  Gilles.

• Cisco ASA get 'show conn all long' info through snmp

  Hi,
  I would need to gather the info about all established connections that I can see on the ASA terminal by using the command
  show conn all long
  for monitoring purposes through snmp. I am browsing several MIBs&OIDs but no one seems to contain this info.
  Does anyone know if this is possible ?
  Thanks.
  Vlad

  im looking for the solution ? did u ever find out if this was possible?

• Cisco IPS Tech Tips: 2010 Dec 16 - show tech commands

  Robert Albach invites you to attend a Web seminar using WebEx. This event requires registration.
  IPS Tech Tips are monthly webinars lasting approximately 30 minutes with question and answer to follow. This month’s event will focus on the “show tech” command and its potential relevance to your IPS operation.
  Topic: Cisco IPS Tech Tip 2010 Dec 16 - Show Tech
  Host: Robert Albach
  Date and Time:
  December 16, 2010 10:00 am, Central Standard Time (Chicago, GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=205452108&t=a&EA=ralbach%40cisco.com&ET=72ce549014a807001ae666a6d82dcc7c&ETR=6ff5ff3ebf442ab68017b906c9ead1a7&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.
  For assistance
  You can contact Robert Albach at:
  [email protected]
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, discuss your concerns with the meeting host prior to the start of the recording or do not join the session. Please note that any such recordings may be subject to discovery in the event of litigation.

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• Cisco ACE with ACS5.0

  Guys,
  Is there a way that I can configure authentication using ACS 5.0 to access a certain server farm group only for a specific user?
  Sent from Cisco Technical Support iPad App

  Yes you could using roles & domains. you would initially have to configure a domain on the ACE and add the relevant serverfarm to it.
  Then in ACS configure the policy for authentication & authorization and under the Shell Profile / Custom Attributes section add an attribute of shell: with Value of , similar to what I have below for my environment (I just have a role of Admin and the default domain in mine).  Then you can test by logging in and issuing the 'show users' command to verify (or check ACS Tacacs/Radius logs)

• How to test a cisco ACE loadbalancer.

  Hello guys, I am new on this site.  I have deployed a Cisco ACE 4710 loadbalancer, and it is loadbalancing 2 real servers. Is there any way or commands I can use to see if it is loadbalancing properly.

  "show serverfarm" will show you the load-balanced connections to each real. Also try "show service-policy <> class-map <> detailed" and check client and server hits counts.
  "show connection" also.

• Configuring Cisco ACE

  I have been given the task of configuring a Cisco ACE20 initially for SLB. I have configured IOS SLB sucesfully but the ACE appears far more complex. Does anyone have any confgiuration guides with diagrams. The Cisco documentation only gives command guides which I am finding difficult to follow. I have set up a test scenario as follows:
  Client side vlan 10 - 172.22.152.0 / 21
  Server side vlan 17 - 172.22.244.0 /24
  Vlan 10 is set up on Sup720 as L2/3
  Vlan 17 is set up on Sup720 as L2 only
  PC with IIS running with IP address 172.22.244.101
  VIP address 172.22.152.6
  Rserver address 172.22.244.101
  Route on ACE 0.0.0.0 0.0.0.0 172.22.152.2
  I can ping the rserver from ACE OK as I have captured the ICMP traffic with analyser, when I attempt to HTTP to the vserver address I see the traffic hit the ACE but it sends TCP resets.
  I can provide the full config of the ACE etc if needed.
  With IOS SLB (without NAT) I used loopback addresses on the real servers from the ACE documentation it appears the VIP address has to be completely unique, does this mean there is no need for loopback interfaces. Also does the VIP address have to be in a different subnet than the clients as mine is not but it is in the same subnet as my client side vlan as was stated in the ACE getting started guide.
  I am very new to content swithing especially classifying traffic etc, can anyone please help ?

  Giles
  Capture attached (etherreal).
  I am the client on 172.21.17.20, the VIP address 172.22.152.6 replies with a RST/ACK. I can see the connection attempt on the ACE:
  switch/Admin# sh conn
  total current connections : 6
  conn-id np dir proto vlan source destination state
  ----------+--+---+-----+----+---------------------+---------------------+------+
  4 1 in TCP 10 172.21.17.20:1291 172.22.152.6:80 SYNSEEN
  1 1 out TCP 17 172.22.152.6:80 172.21.17.20:1291 INIT
  3 1 in TCP 10 172.21.17.20:1285 172.22.152.5:23 ESTAB
  5 1 out TCP 10 172.22.152.5:23 172.21.17.20:1285 ESTAB
  4 2 in UDP 17 172.22.244.101:1042 172.28.7.25:161 --
  2 2 out UDP 10 172.28.7.25:161 172.22.244.101:1042 --
  switch/Admin#
  Do I need a loopback address on the real server. Also I only have one real server set-up at the moment - I didn't think this would matter.
  Hope this helps....
  Paul