topic Re: ASDM may show no ACL hitcounts for active access-lists in Network Security

ASDM may show no ACL hitcounts for active access-lists

zac.quinn — Mon, 11 Mar 2019 18:08:59 GMT

Hi everyone,

I hoping someone may be able to help with a frustrating issue.

We have a pair of ASA's with IPS modules & we are running ASA software 8.3.1 and ASDM 6.3.1. The problem I am seeing is that ASDM is showing a zero hit count for active rules.

Using the log viewer there are hits that should be matching the rules and if I issue the show access-list command for the list the hit counts are incrementing correctly. Also if I disable the rules in the firewall config screen the traffic is then blocked so I know the rule's active but the hit count remains stubbornly '0'.

When I try to view the rule from the syslog viewer line by right clicking and selecting 'Show Access Rule' I get an error message about not being able to find the rule 'The hash code that identifies the rule can not be found'. If I right click the rule on the firewall config page and select 'show log' the filter that's created uses a different hash code to that shown in the CLI for the access list entry. If I search the CLI output for the hash code ASDM uses it doesn't exist.

I there anyway of refreshing the hash codes in ASDM? I've tried clearing the cache and reload ASDM on my PC but to no avail. There are several rules displaying this behaviour and means we have to trawl through hundreds of lines of 'show access-list' output to find any obsolete rules or troubleshoot as we can't rely on the ASDM hit count.

The only references to this I can find on the Cisco website are for CSCsl15055 which is a 'resolved caveat' and only applies to ASDM 6.0.2 which we don't have.

Thanks in advance,

Zac

Re: ASDM may show no ACL hitcounts for active access-lists

Kevin Redmon — Thu, 08 Jul 2010 18:46:31 GMT

Zac,

You may be hitting bug ID CSCtg95077. You can reference the details of this bug here:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Seemingly, this bug should be resolved in 8.3(1)8. Let me know if this is indeed a match and mark this post as answered.

Hope this helps!

Best Regards,

Kevin

Re: ASDM may show no ACL hitcounts for active access-lists

zac.quinn — Fri, 09 Jul 2010 08:18:10 GMT

Many thanks Kevin. It would appear to be a match so lets hope it is fixed in 8.3(1)8.

Zac

Re: ASDM may show no ACL hitcounts for active access-lists

russellmiles64 — Mon, 03 Jan 2011 23:38:46 GMT

I seem to be having the same problem. The bug ID you mentioned claims to be fixed in 8.3(2), which is the ASA version I'm using along with ASDM 6.3(4). Also, I'm seeing many hit counts sitting at zero (that I know should be increasing), but there are just as many that are incrementing as expected. Any ideas? Thanks.

Re: ASDM may show no ACL hitcounts for active access-lists

Jigar Dave — Tue, 04 Jan 2011 02:11:11 GMT

"I seem to be having the same problem. The bug ID you mentioned claims to be fixed in 8.3(2), which is the ASA version I'm using along with ASDM 6.3(4). Also, I'm seeing many hit counts sitting at zero (that I know should be increasing), but there are just as many that are incrementing as expected. Any ideas? Thanks."

Hello Russell,

I have faced similar problem in past, what I did is, I deleted the access line rule for which I am not getting any hit counts, and below to that I created new access rule and enabled logging on that. after rule push, it apprears that I can see hitting counter increment.

can you perform same step and let us know your results?

- Jigar

Re: ASDM may show no ACL hitcounts for active access-lists

zac.quinn — Tue, 04 Jan 2011 09:38:41 GMT

We upgraded to 8.3(2) & ASDM 6.3(3) and the issue was solved. We haven't tried ASDM 6.3(4) so can't comment on that but I have noticed that 6.3(5) is now available

Re: ASDM may show no ACL hitcounts for active access-lists

russellmiles64 — Wed, 05 Jan 2011 22:26:35 GMT

Yes, deleteing and re-creating the rule causes the hit count to function properly.