https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697168#M556539 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I depends on purpose of ACL.</P><P>If is used for NAT, then no hits will show.</P><P></P><P>HTH</P><P></P><P>Pavel</P></BODY></HTML> Thu, 05 May 2011 06:37:39 GMT Pavel Pokorny 2011-05-05T06:37:39Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697167#M556538 <P>Hello everyone:</P><P>Has anyone seen an ASA not record hit against an ACL? I have two 5520s in a Primary/Secondary configuration, versions 8.4(1) and ASDM 6.4(1). There are several ACLs that are all recording zero hits but I know for a fact that those are what are matching for them to get out.</P><P></P><P>Any thoughts would be appreciated!</P><P></P><P>Thanks,</P><P>Mike</P> Mon, 11 Mar 2019 20:29:25 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697167#M556538 Michael All 2019-03-11T20:29:25Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697168#M556539 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I depends on purpose of ACL.</P><P>If is used for NAT, then no hits will show.</P><P></P><P>HTH</P><P></P><P>Pavel</P></BODY></HTML> Thu, 05 May 2011 06:37:39 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697168#M556539 Pavel Pokorny 2011-05-05T06:37:39Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697169#M556541 <HTML><HEAD></HEAD><BODY><P>Thanks for the response Pavel, but these are not being used to define a NAT. Any other situations that could reflect this?</P><P></P><P>Mike</P></BODY></HTML> Thu, 05 May 2011 14:51:47 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697169#M556541 Michael All 2011-05-05T14:51:47Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697170#M556543 <HTML><HEAD></HEAD><BODY><P>Michael,</P><P></P><P>Are those ACL's poiting to the translated or to the realIP address?</P><P></P><P>Mike</P></BODY></HTML> Thu, 05 May 2011 18:58:20 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697170#M556543 Maykol Rojas 2011-05-05T18:58:20Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697171#M556545 <HTML><HEAD></HEAD><BODY><P>Hi Micheal,</P><P></P><P>Could you verify if you are able to see the hit count from the CLI, by doing "show access-list". This could be an issue with the ASDM itself, it may not able to calculate the MD5 hash value for the ACL.</P><P>Could youm also tell me if those particular ACL's contain any network object for protocol???</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Thu, 05 May 2011 19:06:26 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697171#M556545 varrao 2011-05-05T19:06:26Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697172#M556546 <HTML><HEAD></HEAD><BODY><P>Hi Mike,</P><P></P><P>Can you put the ACL here and tell me purpose?</P><P>If there are any groups (networks, services) please decode them.</P><P></P><P></P><P>Thanks</P><P></P><P>Pavel</P></BODY></HTML> Fri, 06 May 2011 06:16:49 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697172#M556546 Pavel Pokorny 2011-05-06T06:16:49Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697173#M556547 <HTML><HEAD></HEAD><BODY><P>Pavel,</P><P>One of them is for allowing VPN and SSH connections out:</P><P></P><P><TABLE border="1" cellspacing="0"><TBODY><TR><TD>9</TD><TD>True</TD><TD>172.20.0.0/255.255.0.0</TD><TD>any</TD><TD>VPNAccess<BR />tcp/ssh</TD><TD>Permit</TD><TD>0</TD><TD>Default</TD><TD> </TD><TD>Notes</TD></TR></TBODY></TABLE></P><P></P><P>The "VPNAccess" Service Group is grouping TCP/10000, UDP/4500, UDP/isakmp, and UDP/10000</P></BODY></HTML> Mon, 09 May 2011 15:46:32 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697173#M556547 Michael All 2011-05-09T15:46:32Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697174#M556548 <HTML><HEAD></HEAD><BODY><P>Varun,</P><P>Looks like you might have called it... CLI is showing hits while the ASDM is not. Any thoughts on how to resolve this?</P><P></P><P></P><P>access-list inside_access_in line 18 extended permit object-group DM_INLINE_SERVICE_19 object 172.20.0.0 any 0x6c207492 </P><P>&nbsp; access-list inside_access_in line 18 extended permit udp 172.20.0.0 255.255.0.0 any eq 4500 (hitcnt=118) 0xd4341637 </P><P>&nbsp; access-list inside_access_in line 18 extended permit udp 172.20.0.0 255.255.0.0 any eq isakmp (hitcnt=251) 0xd65313e6 </P><P>&nbsp; access-list inside_access_in line 18 extended permit tcp 172.20.0.0 255.255.0.0 any eq ssh (hitcnt=580) 0x6e035ce4 </P><P>&nbsp; access-list inside_access_in line 18 extended permit tcp 172.20.0.0 255.255.0.0 any eq 10000 (hitcnt=13) 0x2a249aa3 </P><P>&nbsp; access-list inside_access_in line 18 extended permit udp 172.20.0.0 255.255.0.0 any eq 10000 (hitcnt=8) 0xf7e045eb </P><P></P></BODY></HTML> Mon, 09 May 2011 15:52:48 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697174#M556548 Michael All 2011-05-09T15:52:48Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697175#M556549 <HTML><HEAD></HEAD><BODY><P>Micheal,</P><P></P><P>In the ASDM under firewall dashboard, do you see a message for config out of sync? If yes,this might be a known issue withe ASA, my suggestions to you would be to open a TAC case for further investigation on it.</P><P></P><P>Hope this helps.</P><P>Thanks,</P><P>Varun</P></BODY></HTML> Mon, 09 May 2011 17:10:26 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697175#M556549 varrao 2011-05-09T17:10:26Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697176#M556550 <HTML><HEAD></HEAD><BODY><P>Varun,</P><P></P><P>You're probably right.</P><P>I've seen this behaviour under different types os ASA code (8.2.4 ie) and also ASDM (6.3.x).</P><P>So, maybe TAC will help and devel update code of ASDM.</P><P></P><P>Bye</P><P></P><P>Pavel</P></BODY></HTML> Mon, 09 May 2011 17:34:50 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697176#M556550 Pavel Pokorny 2011-05-09T17:34:50Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697177#M556551 <HTML><HEAD></HEAD><BODY><P>Okay, makes sense, I'll open a ticket with Cisco. Thanks for the help guys.</P></BODY></HTML> Mon, 09 May 2011 18:14:54 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697177#M556551 Michael All 2011-05-09T18:14:54Z https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697178#M556552 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Here is the bug</P><P></P><P><A class="jive-link-external-small" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtl99214">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtl99214</A></P><P></P><P>Cheers.</P><P></P><P>Mike</P></BODY></HTML> Tue, 17 May 2011 20:47:02 GMT https://community.cisco.com/t5/network-security/asa-5520-acl-counters-not-incrementing/m-p/1697178#M556552 Maykol Rojas 2011-05-17T20:47:02Z