https://community.cisco.com/t5/network-security/acl-hit-counts/m-p/2084756#M395901 <HTML><HEAD></HEAD><BODY><P>The crypto ACl will only show hitcount when it initiates the VPN tunnel. If the tunnel is initiated from the branch office, hitcount will increase on the branch office, not on the Data Center.</P><P></P><P>Here is the command for your reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/c5.html#wp2271080">http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/c5.html#wp2271080</A></P><P></P><P>The DAP-ip-user-xxxx is the Dynamic Access Policy can get created automatically depending on the policy configured on the ASA when the host connects.</P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 08 Nov 2012 12:42:07 GMT Jennifer Halim 2012-11-08T12:42:07Z https://community.cisco.com/t5/network-security/acl-hit-counts/m-p/2084755#M395871 <DIV><DIV><DIV><P></P><P><A _jive_internal="true" href="https://community.cisco.com/message/3778979#3778979" target="_blank">ACL hit counts</A></P></DIV></DIV><DIV><DIV><P>Hi,</P><P></P><P>I jsut needed to clarify something, i have a data Center &amp; branch Office connected to each other through IPSec VPN. I also have SSL-VPn configured on the firewall in my data center, the same firewall on which the IPSec VPn from my branch offfice terminates.</P><P></P><P>I retrieved some ACL logs from the ASA in the data center and all the hit counts shon are zero even when the connection is established and my branch office users are able to access all resources.</P><P></P><P>e.g. access-list<STRONG> CRYPTO_XXXXX </STRONG>line 8 extended permit ip x.x.x.x 255.255.0.0 y.y.y.y 255.255.255.0 (hitcnt=0) 0x8142efc9</P><P></P><P>All the ACL are like this where y.y.y.y is the branch office subnet</P><P>I also have another ACL which poped up on my SSL VPN ACL as shown below</P><P></P><P>e.g. access-list <STRONG>DAP-ip-user-906E4E06 </STRONG>line 1 extended permit ip x.x.x.x 255.255.255.0 host y.y.y.y (hitcnt=22162) 0x440bdd04</P><P>access-list <STRONG>SSLVPN-CORP-ACL </STRONG>line 1 extended permit ip x.x.x.x 255.255.255.0 host y.y.y.y(hitcnt=0) 0xc9d27468</P><P></P><P>can anyone tell me why is my hit count is zero for both CRYPTO ACL and the SSLVPN-CORP-ACL even when the connection is established?</P><P>Second, what is <STRONG>DAP-ip-user-906E4E06? </STRONG>why is it showing such?</P><P style="min-height: 8pt; height: 8pt;"><STRONG> </STRONG></P><P><STRONG>Thanks a lot in advance.</STRONG></P><P style="min-height: 8pt; height: 8pt;"><STRONG> </STRONG></P><P style="min-height: 8pt; height: 8pt;"><STRONG> </STRONG></P><P style="min-height: 8pt; height: 8pt;"><STRONG> </STRONG></P></DIV></DIV></DIV> Tue, 12 Mar 2019 00:20:33 GMT https://community.cisco.com/t5/network-security/acl-hit-counts/m-p/2084755#M395871 Suresh Varghese 2019-03-12T00:20:33Z https://community.cisco.com/t5/network-security/acl-hit-counts/m-p/2084756#M395901 <HTML><HEAD></HEAD><BODY><P>The crypto ACl will only show hitcount when it initiates the VPN tunnel. If the tunnel is initiated from the branch office, hitcount will increase on the branch office, not on the Data Center.</P><P></P><P>Here is the command for your reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/c5.html#wp2271080">http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/c5.html#wp2271080</A></P><P></P><P>The DAP-ip-user-xxxx is the Dynamic Access Policy can get created automatically depending on the policy configured on the ASA when the host connects.</P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 08 Nov 2012 12:42:07 GMT https://community.cisco.com/t5/network-security/acl-hit-counts/m-p/2084756#M395901 Jennifer Halim 2012-11-08T12:42:07Z https://community.cisco.com/t5/network-security/acl-hit-counts/m-p/2084757#M395903 <HTML><HEAD></HEAD><BODY><P> Hi Jennifer,</P><P></P><P>many thanks for the response.</P><P></P><P>I totally agree regarding the traffic initiation and hit count. I have totally 5 branch office and the same traffic initiation test when i try on the other branch offices, i can see the increase on their respective firewalls.</P><P></P><P>Any idea what might be wrong with the fiorst branch and why the hitcount does not increase.</P><P></P><P>The DAP policies were created 2-3 years back and i havent seen any such logs so far, i think this is the first time.</P><P>I have used RSA appliance for authenticating the users and remember enabling RADIUS on it. Will it cause of that.</P><P></P><P>regards</P></BODY></HTML> Thu, 08 Nov 2012 13:03:22 GMT https://community.cisco.com/t5/network-security/acl-hit-counts/m-p/2084757#M395903 Suresh Varghese 2012-11-08T13:03:22Z