ACL counters on ASA (Primary/Back-up Cluster)

kpastores · ‎07-11-2011

I've been researching this and unable to find documented info. I've been monitoring some ACLs for a client to see what is/not needed by watching ACL hitcounts. I do have a Primary/Back-up cluster enviorment. What I've found is for example my Primary FW shows 50hits on a particular ACL and then 85 hits on the same ACL on my Secondary FW.

My question are:

Does the Primary and Secondary FW replicate hit counts?

In my examples does it mean 50 hits on the Primary and then somehow went offlines and then the Secondary took 85 hits?

Sorry if these basic questions.

Thanks for any help and if someone can point me to documented explaination for these it will be much appriciated!!

-Kevin

varrao · ‎07-11-2011

Hi Kevin,

Where actually do you see the hit-counts, in the ASDM? or in the CLI, by doing "show access-list" ?

Varun

Thanks,
Varun Rao

kpastores · ‎07-11-2011

When i do a "show access-list"

access-list xx line xx extended permit tcp host x.x.x.x host x.x.x.x eq x (hitcnt=82)

varrao · ‎07-11-2011

I am not able to understand your reply???

When i do a "show access-list"

access-list xx line xx extended permit tcp host x.x.x.x host x.x.x.x eq x (hitcnt=82)

When you check it on the ASDM, the hit count is 50, and when you chcek it on the CLI, the hitcount on primary is 82, am I right???

Varun

Thanks,
Varun Rao

kpastores · ‎07-11-2011

Actually I SSH to the "primary" IP address of the suspected FW, I do a show 'access-list' grepping for the ACL in question.

Then I SSH to the "standby" IP (my secondary FW), I do the same 'show access-list' grepping for the ACL in question and this is where the hitcnt differ.

varrao · ‎07-12-2011

Hi Kevin,

Can you try this, from the Primary FW, issue teh command "write standby" and then check the statistics on the two, there might be a difference of +-10 but it hsould not be huge difference.

Thanks,

Varun

Thanks,
Varun Rao