07-29-2013 09:38 AM - edited 03-11-2019 07:18 PM
Last week I disabled several rules on our ASA because the rules had 0 hits. Well one of the rules needed to be re-enabled to allow a department access to an application. It works after re-enabling the rule, but I don't understand why am I not seeing any hits on the rule.
I want to cleanup our access rules and I figured I could do away with the ones getting 0 hits. But if that isn't an indicator to the rule being in use or not, then what is.
Solved! Go to Solution.
07-29-2013 10:18 AM
Hi,
Well you can go to the CLI and use
This command to show all the ACLs
show access-list
This command to show certain ACL
show access-list
If you have a certain line number for the rule you can use this command for example
show access-list
Where # = number
You can also do these through the ASDM by going to
- Jouni
07-29-2013 10:27 AM
Hi,
Notice that both rules are with the same line number of 205
This can only mean that they are part of an ACL rule/line that uses an "object-group" in them. Seems that the destination IP addresses are defined under the "object-group network
This probably means that you have disabled the ACL rule/line at 205 which contains this actual "object-group network
Use the command
show access-list inside_access_in | inc line 205
and check what the "object-group" is that is used in the ACL rule at line 205.
If you want to remove the hosts with 0 hitcount THEN you will have to remove them from inside the "object-group" and NOT disable the whole ACL rule/line (which effect a lot more hosts)
Though you will have to make sure that this "object-group" is not used in any other configuration where removing one host under it might cause problems.
So it starting to seem like the reason disabling a rule affected some application is because you disabled a single ACL rule that used an "object-group" to define multiple destination IP addresses while you should have removed the IP addresses from under the "object-group" (the ones that are not getting hitcount) rather than disable the whole rule.
- Jouni
07-29-2013 10:42 AM
Hi,
I edited the the above reply a couple of times when you were probably already replying.
You can use the command
show run object-group id DM_INLINE_NETWORK_60
To view only the configuration related to that "object-group"
According to the above it does contain only 2 host IP addresses so the configuration is probably something like this
object-group network DM_INLINE_NETWORK_60
network-object host 153.69.200.107
network-object host 153.69.200.110
So in this case if this "object-group" is not used anywhere else, you should be able to to remove the IP that is not getting any hitcount with the following commands
First go under the "object-group" configuration mode then remove the single host address from there.
object-group network DM_INLINE_NETWORK_60
no network-object host 153.69.200.110
After this you should only see that one rule on the line 205 of the ACL.
- Jouni
07-29-2013 10:06 AM
Hi,
I dont personally remember any occasion where a hitcount on an ACL would have not been a clear indicator if that rule was usefull or not.
I am not sure if you are using ASDM, if you are then there is naturally always the chance that it has something to do with ASDM. Perhaps a bug. For example I have witnessed VPN counters on the ASDM that were incorrect and completely different compare to what the ASA was telling me on the CLI. Maybe updating the ASDM might be one step.
If you have confirmed these statistics from the CLI then it would seem a lot stranger.
I would imagine that you are talking about interface ACLs here only?
I only mention this because for example NAT0 related ACL never get their hitcount increased even though they are in use all the time. So one idea would be to check if the disabled rule was actually in an ACL that was used for NAT0? As I said, NAT0 ACL dont get any hitcounts even though they are in use.
I would also suggest you to use the "packet-tracer" command on the CLI to simulate the traffic that should match this ACL rule.
The "packet-tracer" output should both reference this ACL rule if it matches to it (and nothing before that rule) and it should also increase the hitcount for that rule even though no real traffic might have come through the ASA.
Hope this helps
- Jouni
07-29-2013 10:12 AM
Hello Jouni!
Yes it is ASDM that I'm using. So how would I check the amount of hits the access rule receives from the CLI?
07-29-2013 10:16 AM
I went into ASDM, right clicked on the rule, and started the packet trace.
I get green check marks for capture, access-list, and route-lookup. The result is the packet is dropped with info saying:
(sp-security-failed) Slowpath security checks failed
07-29-2013 10:18 AM
Hi,
Well you can go to the CLI and use
This command to show all the ACLs
show access-list
This command to show certain ACL
show access-list
If you have a certain line number for the rule you can use this command for example
show access-list
Where # = number
You can also do these through the ASDM by going to
- Jouni
07-29-2013 10:23 AM
I just figured it out as you posted this haha. Thanks Jouni!
Is it possible that the rule doesn't show any hits because of the destination ip's doesn't have any? Here is my output from CLI:
WHQ-ASA-01/pri/act# sh access-list | i 153.69.200.107
access-list inside_access_in line 205 extended permit tcp any range 1 65535 host 153.69.200.107 eq https (hitcnt=735) 0x1053b8b2
WHQ-ASA-01/pri/act# sh access-list | i 153.69.200.110
access-list inside_access_in line 205 extended permit tcp any range 1 65535 host 153.69.200.110 eq https (hitcnt=0) 0x3027e0d8
Those are the two destinations in the rule and only one has hits.
07-29-2013 10:27 AM
Hi,
Notice that both rules are with the same line number of 205
This can only mean that they are part of an ACL rule/line that uses an "object-group" in them. Seems that the destination IP addresses are defined under the "object-group network
This probably means that you have disabled the ACL rule/line at 205 which contains this actual "object-group network
Use the command
show access-list inside_access_in | inc line 205
and check what the "object-group" is that is used in the ACL rule at line 205.
If you want to remove the hosts with 0 hitcount THEN you will have to remove them from inside the "object-group" and NOT disable the whole ACL rule/line (which effect a lot more hosts)
Though you will have to make sure that this "object-group" is not used in any other configuration where removing one host under it might cause problems.
So it starting to seem like the reason disabling a rule affected some application is because you disabled a single ACL rule that used an "object-group" to define multiple destination IP addresses while you should have removed the IP addresses from under the "object-group" (the ones that are not getting hitcount) rather than disable the whole rule.
- Jouni
07-29-2013 10:36 AM
Here is the rule
WHQ-ASA-01/pri/act# sh access-list | i inside_access_in line 205
access-list inside_access_in line 205 extended permit object https any object-group DM_INLINE_NETWORK_60 0xcfce8697
access-list inside_access_in line 205 extended permit tcp any range 1 65535 host 153.69.200.107 eq https (hitcnt=735) 0x1053b8b2
access-list inside_access_in line 205 extended permit tcp any range 1 65535 host 153.69.200.110 eq https (hitcnt=0) 0x3027e0d8
But I only disabled the rule because it showed a 0 hit count in ASDM and still continues to. But from the CLI we can actually see one of the ip's getting hits. So am I correct to think that the rule shows 0 hits in ASDM because there's a host in the rule's destination field not getting any hits?
07-29-2013 10:42 AM
Hi,
I edited the the above reply a couple of times when you were probably already replying.
You can use the command
show run object-group id DM_INLINE_NETWORK_60
To view only the configuration related to that "object-group"
According to the above it does contain only 2 host IP addresses so the configuration is probably something like this
object-group network DM_INLINE_NETWORK_60
network-object host 153.69.200.107
network-object host 153.69.200.110
So in this case if this "object-group" is not used anywhere else, you should be able to to remove the IP that is not getting any hitcount with the following commands
First go under the "object-group" configuration mode then remove the single host address from there.
object-group network DM_INLINE_NETWORK_60
no network-object host 153.69.200.110
After this you should only see that one rule on the line 205 of the ACL.
- Jouni
07-29-2013 10:54 AM
Thanks again Jouni!
I know how to remove the host from the rule - that isn't the issue. I want to know if that host that isn't receiving hits the reason that the entire rule doesn't show hits in ASDM.
So basically if I remove that one address that ends in .110, will ASDM begin to show hits on the rule since the .107 address is getting hits?
07-29-2013 11:01 AM
Hi,
I did a quick test on my own ASA through ASDM
I allowed ICMP from my LAN to 2 different hosts that configured under an "object-group"
I only sent ICMP to one of the hosts in that "object-group" and the ASDM shows hitcounts for that
On the CLI it shows the following
access-list LAN-IN line 1 extended permit icmp any4 object-group DM_INLINE_NETWORK_1 (hitcnt=2) 0xc22fc6f8
access-list LAN-IN line 1 extended permit icmp any4 host 1.1.1.1 (hitcnt=2) 0x31b7950c
access-list LAN-IN line 1 extended permit icmp any4 host 2.2.2.2 (hitcnt=0) 0xc51d1507
I dont know if its related to something in your ASDM or software. I personally am running quite new ASDM and ASA software levels at the moment
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide