In Cisco ASA version 8.4(1) a great new troubleshooting tool was introduced; TCP Ping. It basically does what you think it does, it sends a TCP SYN to a IP Address on a specified destination port to verify bi-directional TCP connectivity from an ASA interface. If the ASA receives a TCP SYN-ACK it will display as a successful ping.
This is great for testing connectivity to web servers in DMZ’s or in security zones you as an engineer can’t test any other way from the ASA.
The command syntax is as follows:
ping tcp INTERFACE DST_IP DST_PORT [repeat|source|timeout]
A successful TCP ping should be similar to below with the basic options:
ASA# ping tcp inside 10.10.142.7 443 Type escape sequence to abort. No source specified. Pinging from identity interface. Sending 5 TCP SYN requests to 10.10.142.7 port 443 from 172.16.255.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Add this command to your engineering toolbox to quickly identify services are operational and working. Remember I haven’t specified a source IP in my example above but you can use a real IP Address of a test client, when the ASA receives a packet back from the web server destined for the test client the ASA will discard the packet instead of transmitting to the client.