Don’t Forget about the ASA’s “show conn” Command

I often find myself troubleshooting connections through an ASA. As a firewall, the ASA is often blamed for network connectivity issues. Therefore, we often just want to determine if the issue is upstream or downstream from the firewall. One of the first things that comes to mind is the packet capture capability. However, there is a simpler tool that may quickly answer these types of questions. That tool is the “show conn” command.

The show conn command can be filtered to a particular IP address and can demonstrate the current state of a connection. If the connection isn’t listed at all, the initiating packet probably isn’t making it into the ASA’s logic.

A quick examination of this command leaves a lot to be desired.

ASA# show conn
11 in use, 338 most used
TCP outside inside, idle 0:00:40, bytes 7913, flags UIO
TCP outside inside, idle 0:01:02, bytes 7677, flags UIO
TCP outside inside, idle 0:00:00, bytes 0, flags saA
TCP outside inside, idle 0:00:05, bytes 40992, flags UIO
TCP outside inside, idle 0:02:25, bytes 5314, flags UIO
TCP outside inside, idle 0:00:39, bytes 2825, flags UIO
TCP outside inside, idle 0:00:39, bytes 3937, flags UIO
TCP outside inside, idle 0:00:09, bytes 23908, flags UIO
TCP outside inside, idle 0:00:03, bytes 127339, flags UIO
TCP outside inside, idle 0:00:14, bytes 102320, flags UIO

Although we can easily filter it using the address parameter, there are likely a lot of remaining questions.

ASA# show conn address
11 in use, 338 most used
TCP outside inside, idle 0:00:04, bytes 0, flags saA

Notice the flags in the output. These should surely shed some light on the connection status.

show conn

By adding the detail keyword, the ASA will share the meaning of the possible flag values.

ASA# show conn address detail

show conn detail

As shown above, the flags saA indicates that this connection is awaiting the outside syn (s), outside ack (a), and inside ack (A). When we apply our TCP knowledge of the three way handshake (syn, syn-ack, ack), we can deduce that the ASA has only seen the inside SYN. Since the “outside syn” has not been seen, everything else is irrelevant.

Given this scenario, an administrator can see that the problem is somewhere between the outside interface and the server. In this case, the server simply didn’t exit.

Posted in CCNA Security, Certification, Security, Technology | Tagged , , , | 1 Comment

Free Training from Brocade

For those that wanting a deeper understanding or those having a desire to certify their current knowledge of the Brocade Ethernet Fabric, free online training is available.  The course material even contains a promo code that allows participants to take the BCEFP (Brocade Certified Ethernet Fabric Professional) exam. This program and the associate materials are intended for current network professionals with field experience.

More Information

Continue reading

Posted in Blogroll, Certification, General, Network, Technology | Tagged , , , , | 1 Comment

Heartbleed Will Cause Issues With Obscure OpenSSL Use Cases

In real world deployments, the Heartbleed Bug is a bit different than a lot of other vulnerabilities we have seen. This issue exists in recent versions of OpenSSL and allows an attacker to harvest raw information from the memory of affected devices. Obviously, an affected device contains a front-door bug that needs immediate attention. Since there is also the possibility of undetected information disclosure, there must be some consideration for the associated impact of a data breach. In security conscious environments, there are several steps that must be performed in succession to fully address an affected environment.

Addressing the Heartbleed Bug

  1. Obtain and install a version of OpenSSL that isn’t affected by the vulnerability
  2. Confirm that the host is no longer vulnerable
  3. Consider the possible impact of prior disclosure of memory contents
    1. Private Keys/Certificate (rekey and reissue as required)
    2. User Credentials (expire and require new password at next logon)
    3. Embedded and/or Configured Credentials (www->SQL)
    4. Any other data that could’ve been in RAM
  4. Proper Monitoring, Forensics and Notification as required

My general thoughts on this are that the first two steps will be quickly performed on high risk web servers that use standard TCP ports. This is partially due to the coverage the issue is getting. However, my guess is that some organizations will fall short on steps 3 and 4. My additional concern is that Heartbleed may be overlooked in more obscure places. Some may be surprised at where it can be found. Continue reading

Posted in Security, Technology | Tagged , | 1 Comment

7 Quick Tips for Cisco Live Attendees

CiscoLiveIt’s only a few weeks until Cisco Live US! Since will be my fourth experience with Cisco Live, I am considered a NetVet. Each year there are many first-time attendees. With that in mind, I wanted to share a handful of tips that might help these Cisco Live first timers enjoy their visit to San Francisco.

Quick Tips For Cisco Live 2014

1. Wear comfortable shoes–

Convention centers with the ability to handle more than 20,000 visitors tend to be huge and spread out. Those attending Cisco Live often report walking 20 to 30 miles. That’s quite a bit of walking. Quality shoes will increase the comfort (or decrease the pain) when moving between sessions and exploring the World of Solutions.

2. Bring a jacket–

This recommendation is specific to this year’s venue. Last year Cisco Live US was in Orlando and everyone needed a personal air conditioner. San Francisco is much different. Even though it is California, it is Northern California. Additionally, the cool pacific ocean tends to influence the temperatures. In some places, it seems more common than not to need a jacket. I plan to pack one and be prepared for outdoor events like the Customer Appreciation Event.

3. Leave sessions that don’t fit–

The technical sessions at Cisco Live are awesome. In many cases the presenter will be a senior developer, author of a related book or a representative with one or more standards bodies. But let’s face it, sometimes a given session doesn’t jive with everyone. If you aren’t connecting and feel compelled to leave the session, do so discreetly. If the session isn’t delivering value, there are other plenty of other opportunities to learn. Alternatively, a short break might help your mind prepare itself for the next session. Continue reading

Posted in Certification, Events, General, Technology | Tagged | Leave a comment

Podcast Spotlight — The Class-C Block

Bright orange RSS icon

This podcast spotlight goes to The Class-C Block. I am little embarrassed to admit it, but I just stumbled on to this podcast a couple of months ago. Although this show is infrequent in comparison to other similar podcasts, it is very well done and informative. Listeners who enjoy deep, technical discussions around networking, design and programmability will certainly enjoy this podcast.

Recent episodes have focused on topics like VMWare NSX, Cisco Nexus 9000, Open Daylight and a lot of SDN.


Disclaimer: I have no affiliation with The Class-C Block show or any organization linked to,  represented in or derived from content found in this article.


Posted in Blogroll, Network, Technology | Tagged , , | Leave a comment

The Advantage Tail-f Has Developing NCS

There wasn’t a single Networking Field Day 7 session that didn’t at least touch on software defined networking or SDN. Tail-f was the first vendor who presented and told us about a network management product that could play a significant role in a Software Defined Network.

The product of focus was NCS  or Network Control System. It is an orchestration system for the network. Think of NCS as a CLI that can control the network as a whole. Moreover, it can present the entire network with a Cisco or Juniper style interface regardless of what underlying hardware vendor is utilized. This product also offers a web interface and supports various northbound and southbound API’s.

Anyone that has attempted to build such a solution understands that there are several challenges. There are different protocols and syntax used for configuration. When looking at something like a Cisco CLI, it is quickly obvious that the command syntax is only loosely structured. The syntax also changes over time and often without warning. This is where Tail-f has a unique advantage.

The Tail-f Advantage

So what exactly is Tail-f’s advantage? The Tail-f advantage in this realm is their inside knowledge of popular management interfaces. Their inside track is a result of their other product which is known as ConfD. This product is customized and sold to many major vendors to be used as the management interface for their network devices. During the introduction, Carl Moberg made the following statement when speaking of ConfD–

If or when you log into ‘kind of’ next generation or current generation hardware from some of the very large vendors, you will wind up in Tail-f software.

This statement can be heard about 2:22 into the introductory presentation below. Continue reading

Posted in Blogroll, Events, Technology | Tagged , , | 1 Comment

My Python Student

Paizley Programming

So I know what everyone is thinking–Paul is teaching programming, yeah right…

Well I am sort of being a facilitator. The truth is I have a very special student, my 11 year old daughter. The broader story is that she has expressed interest in the stuff that I do for a while. Believing that a programming language might be more interesting to a pre-teen than configuring a router, I thought Python would be a perfect choice. I am the first person to admit that I’m an absolute n00b when it comes to this language. Fortunately it is fairly intuitive. Beyond that, there are some pretty good resources available.

So basically I showed her three things–the Learn Python the Hard Way site, how to use TextWrangler on a Mac, and how to use the terminal to execute the scripts. I then worked through the first couple of examples with her. To my delight, she kept going. I even got a call on my way to work yesterday requesting help troubleshooting an issue. I didn’t give the answer, but nudged her in the right direction. When I returned home, she was watching some related content on The Khan Academy.

The question for me is will she continue. I fully believe she has the ability to continue learning independently of me. It would be awesome to see her skills supersede my own (and with Python, that probably wouldn’t take that much). She says its cool and seems to enjoy it. If nothing else, it is exposing her to new ways of thinking and introducing her to possibilities.

Anyone else out there working with their children on similar projects?

Posted in Career, Technology | Tagged , , | 3 Comments

Blog Spotlight — Colin McNamara — OpenStack Nerd, CCIE, DevOps Junkie

Monthly Blog Spotlight

I have been a long time reader of articles written by Colin McNamara. Authoring a blog that bears his name, Colin is working to evangelize the thought processes around DevOps into IT organizations. One of his latest articles called the value of the CCIE into question and probably created concern for anyone who felt like this certification was a golden ticket into all things tech.

This website is just an extension of Colin’s presence in social media. He spends a lot of time on twitter and his goals are clear. He wants to help people understand that the world of networking is changing in exciting new ways and that the changes should be embraced.

In a recent conversation on twitter, Colin made the following statement in regards to the work that was being done around SDN, DevOps and OpenStack.

@packetu @SomeClown We are trying to change the world, and address this transition as a community

Then quickly followed up with this comment

@BobL @packetu @SomeClown 1. change thinking 2. apply concepts. 3. grow beard



Disclaimer–I continually get requests for a list of the blogs, podcasts and people I follow to “keep up” in this industry. As a result, I decided to start publishing some of the blogs I regularly read. Links to other content from PacketU or affiliated social channels should not be thought of as a universal endorsement or indication of independence or neutrality for a given external site. Readers should assess ALL applicable content before proceeding with actions that could adversely affect their environment.

Posted in Blogroll, Technology | Tagged | Leave a comment

Using the Brocade vRouter VPN Capabilities

One of the challenges that must be overcome as servers are migrated to a cloud service provider is the ability to continue to reach all servers and securely communicate with them for various administrative and data transfer needs. NAT can provide a limited way to access hosts in this arrangement and may be sufficient for customer access. However, there is often the possibility of other communications requirements between on-premise hosts and the servers that are now located in the cloud. This article examines the use of the Brocade vRouter in a VPN configuration to address this challenge.

The Challenge

The customer, whom we will call ACME, has decided to migrate the server workload to a cloud service provider. This type of environment is typically known as IaaS (Infrastructure as a Service). ACME will need access to the private IP addresses of its cloud servers from on-premise workstations. The communication also needs to be universally encrypted for secure transport.

The Proposal

The proposed solution is to implement a VPN to the Brocade Vyatta vRouter from an existing on premise appliance (Cisco ASA in this example).


Vyatta to ASA

The configuration relevant to VPN for both the Brocade Vyatta vRouter and the ASA can be found below.

Brocade vRouter Configuration Continue reading

Posted in Events, Network, Security, Technology | Tagged , , , , , | 1 Comment

Salman Khan to Deliver Closing Keynote at Cisco Live

Sal Khan ImageI heard it on good authority today that Salman Khan will be delivering the closing keynote at Cisco Live. Sal Khan started a non-profit educational organization known as The Khan Academy that utilizes the web as a teaching and delivery tool. The primary goal of the organization is to provide a free, high-quality education to “anyone, anywhere” in the world.

Mr. Khan also authored a book called The One World Schoolhouse: Education Reimagined that outlines his goal for a universally accessible world-class education. This keynote follows other recent closing day performances featuring the personalities of Sir Richard Branson (2013) and Adam and Jamie from Mythbusters (2012).

When the announcement is posted on a Cisco’s web site, I’ll link to it here. Stay tuned for other Cisco Live related announcements.


Posted in Cisco Live, Events, Technology | Tagged | Leave a comment

Just What Is LiveAction?

One of the vendors who presented for Networking Field Day 7 was a company formerly known as ActionPacked. This company was recently rebranded to LiveAction and the name is reflected in their product. LiveAction aims to be a QoS implementation and networking quality tool that fits into a Cisco environment. While there are some videos that were produced and recorded at NFD7, I think the shorter video below may actually bring network administrators and engineers up to speed on many of the relevant details of their offering.

Networking Field Day 7 Links

Posted in Blogroll, Events, Technology | Tagged , , , | 1 Comment

7 Things I Learned at Networking Field Day 7

As many PacketU readers know, I spent this week in San Jose, CA as a Networking Field Day 7 delegate. For those who are unfamiliar with Networking Field Day, it is a well-run GestaltIT event that is funded by vendor sponsorship. In turn, this sponsorship provides technology vendors with an opportunity to discuss their products and ideas with a body of delegates, which is comprised of technology leaders, bloggers and practitioners.

While attending presentations, I formed a mind-boggling amount of thoughts about the vendors, their products, and the direction of the industry in general. Over the next few weeks I plan to share some of those thoughts. Today, as I sit in my hotel room, I think about some very high level, general and personal things that I’ve learned this week. These thoughts have little to do with any particular vendor. However, I wanted to take the time to capture and share them with others.

What I Learned

1–There will be a lot of change in the next few years Continue reading

Posted in Career, Events, Technology | Tagged , , , | 1 Comment