https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113974#M896237 <P>Hi,</P><P>I am having some weird problem. we have configured access list for the applications on ASA outside interface. It is working also but I am not able to see any hit count on the access list. It increases only by one when a new session is initiated from outside world. If we continue to use that application hit count doesnt seem to increase. I checked in the command show conn detail it shows the connection established. </P><P>any related experience please share ?</P><P>Any link on cisco.com</P><P>thanks in advance</P><P>subodh </P> Mon, 11 Mar 2019 13:46:04 GMT bapatsubodh 2019-03-11T13:46:04Z https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113974#M896237 <P>Hi,</P><P>I am having some weird problem. we have configured access list for the applications on ASA outside interface. It is working also but I am not able to see any hit count on the access list. It increases only by one when a new session is initiated from outside world. If we continue to use that application hit count doesnt seem to increase. I checked in the command show conn detail it shows the connection established. </P><P>any related experience please share ?</P><P>Any link on cisco.com</P><P>thanks in advance</P><P>subodh </P> Mon, 11 Mar 2019 13:46:04 GMT https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113974#M896237 bapatsubodh 2019-03-11T13:46:04Z https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113975#M896238 <HTML><HEAD></HEAD><BODY><P>Hi Bapatsubodh,</P><P></P><P>I have often wondered about this and I have come to the conclusion that the count only increments for each new session started. Hence once the session has been established further packets for this session do not increment the counter. If you disconnect the session and start a new one the counter will increment.</P><P></P><P>Does anyone else out there have an alternative explaination?</P><P></P></BODY></HTML> Thu, 18 Sep 2008 11:22:04 GMT https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113975#M896238 allissrcco 2008-09-18T11:22:04Z https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113976#M896239 <HTML><HEAD></HEAD><BODY><P>When the connection is not established,access list and nat is checked.As soon as connection gets established,these checks are not performed any more.</P><P></P><P>That's why ,you would see a single hitcount.</P><P></P><P></P><P>Here is how pix/asa processes traffic :</P><P></P><P></P><P>1. Recieve Packet.</P><P>2. Existing Connection?</P><P>3. Permit by Inbound ACL on interface?</P><P>4. Match translation rule (nat, static).</P><P>5. NAT embedded IP and perform security checks / randomize sequence number.</P><P>6. NAT IP header.</P><P>7. Pass packet to outgoing interface.</P><P>8. Layer 3 route lookup?</P><P>9. Layer 2 next hop?</P><P>10. Transmit packet. </P><P></P><P></P><P></P><P>So,if there is an existing connection,f/w would transmit...no further checks.</P><P></P><P></P><P>Please rate if helpful.</P><P></P><P></P><P>Regards,</P><P>Sushil</P></BODY></HTML> Thu, 18 Sep 2008 11:41:12 GMT https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113976#M896239 suschoud 2008-09-18T11:41:12Z https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113977#M896240 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P>Allissrco,</P><P>Thanks for your feedback. This means I am not the only one who has seen this weird begaviour.</P><P>Please post if you have any other feedback</P><P>Thanks</P><P>Subodh Bapat </P></BODY></HTML> Thu, 18 Sep 2008 14:35:12 GMT https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113977#M896240 bapatsubodh 2008-09-18T14:35:12Z https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113978#M896241 <HTML><HEAD></HEAD><BODY><P>Excelent explanation! </P><P>I tried to find in docs when are hit counts deleted, except when I use clear command. Only during reboot ASA? And during fail over ? Or in any other situation?</P><P></P><P>Thank you!</P><P></P><P>Radim</P></BODY></HTML> Wed, 04 Mar 2009 17:32:46 GMT https://community.cisco.com/t5/network-security/access-list-hit-count/m-p/1113978#M896241 Radim Jurica 2009-03-04T17:32:46Z