ASA – TCP Ping

In Cisco ASA version 8.4(1) a great new troubleshooting tool was introduced; TCP Ping. It basically does what you think it does, it sends a TCP SYN to a IP Address on a specified destination port to verify bi-directional TCP connectivity from an ASA interface. If the ASA receives a TCP SYN-ACK it will display as a successful ping.

This is great for testing connectivity to web servers in DMZ’s or in security zones you as an engineer can’t test any other way from the ASA.

The command syntax is as follows:

ping tcp INTERFACE DST_IP DST_PORT [repeat|source|timeout]

A successful TCP ping should be similar to below with the basic options:

ASA# ping tcp inside 443    
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to port 443
from, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Add this command to your engineering toolbox to quickly identify services are operational and working. Remember I haven’t specified a source IP in my example above but you can use a real IP Address of a test client, when the ASA receives a packet back from the web server destined for the test client the ASA will discard the packet instead of transmitting to the client.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s