Cisco ASA Ping TCP troubleshooting command

Cisco ASA Ping TCP troubleshooting command

We’ve all used ping to test basic connectivity and we all know that command sends ICMP packets and waits for replies. On Cisco ASA’s you can also use an enhanced version of this command to send any TCP packet instead of just ICMP.

This is awesome for troubleshooting purposes and verifying remote services/ports are up, running and reachable.

It’s also a great trick to force traffic over a VPN connection to bring a tunnel up from the ASA!

Let’s assume for this example you are on a Cisco ASA called ASA1. This firewall has a site to site VPN to Azure for example, where your companies RDS infrastructure is housed and we want to test to make sure RDP traffic in particular is not being blocked.

For this example, the RDP server is at Your on-prem network (the LAN side of the tunnel) is

ASA1# ping tcp
Interface: inside
Target IP address:
Destination port: 3389
Specify source? [n]: y
Source IP address: <–ANY IP on the inside network
Source port: [0] 1000 <—Any source port you want
Repeat count: [5]
Timeout in seconds: [2]
type escape sequence to abort.

Sending 5 TCP SYN requests to port 3389 from starting port 1000, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 25/25/25 ms

Leave a Reply

Your email address will not be published. Required fields are marked *