Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1005
Views
0
Helpful
4
Replies

ACL hitcount not real

Go to solution
hobbe
Level 7
Level 7

‎03-07-2011 05:30 AM - edited ‎03-11-2019 01:02 PM

Hi

maybe a stupid question.

ASA v 8.2

What does the ACL hit count count ?

I always thought that the acl hitcount counted the numbers of packets hitting that line in the ACL, however that is not the case.

if I setup a icmp permit rule then that will only increment 1 even if I send 4 packets that hits the line. udp and tcp seems to do thesame.

Does anyone have a explanation to this behaviour ?

Is there some way I can make the ACL actually count the packets that hits ?

where can I learn more about this ?

Regards

Hobbe

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎03-07-2011 08:21 AM

Hi Hobbe,

The ACL hit count value does show the number of packets that hit that particular rule. However, keep in mind that the ACL is only checked for the first packet of a connection. If the first packet is allowed by the ACL, the ASA understands that all subsequent packets in that same connection will also be allowed so it doesn't check again.

Hope that helps.

-Mike

View solution in original post

0 Helpful
4 Replies 4

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎03-07-2011 08:21 AM

Hi Hobbe,

The ACL hit count value does show the number of packets that hit that particular rule. However, keep in mind that the ACL is only checked for the first packet of a connection. If the first packet is allowed by the ACL, the ASA understands that all subsequent packets in that same connection will also be allowed so it doesn't check again.

Hope that helps.

-Mike

0 Helpful

Go to solution
hobbe
Level 7
Level 7
In response to mirober2

‎03-08-2011 12:33 AM

You are (ofcourse ) correct ! Thanks for reminding me.

And I understand that if I want to know the exact number of bytes I can get that from the syslog message when it closes the connection through.

However that said, is there any way I can findout how many packets from a specific host are transported through the firewall or actually is hitting or leaving a specific interface.

(without using the capture command)

What I need to do is compare traffic entering one interface on one firewall with traffic exiting on another firewall (vpn inbetween). and I need to do that on a per packet level.

ie

Starting now untill +10 sec how many packets have been recieved from host a ingress on firewall A interface 1 and how many packets from host a is sent out egress on firewall B interface 1.

does anyone have an answer to that ?

Regards

Hobbe

0 Helpful

Go to solution
sean_evershed
Level 7
Level 7
In response to hobbe

‎03-08-2011 04:09 AM

Since you are running 8.2 have you considered configuring Netlfow? This is assuming that you have a Netflow collection server

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html#wpmkr1111173

0 Helpful

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to hobbe

‎03-08-2011 05:08 AM

Hi Hobbe,

Is there a reason you don't want to use the capture command for this? That is probably the best way to do it from the firewall's CLI.

You also mentioned there is a VPN in between. If this is the only traffic traversing the tunnel, you could look at the output of 'show crypto ipsec sa' and find the SA for the traffic you want to measure. This will give you a counter for the number of packets encrypted and decrypted across the tunnel.

Hope that helps.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card