cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6841
Views
0
Helpful
11
Replies

ASA 5520 ACL Counters not Incrementing

Michael All
Level 1
Level 1

Hello everyone:

Has anyone seen an ASA not record hit against an ACL? I have two 5520s in a Primary/Secondary configuration, versions 8.4(1) and ASDM 6.4(1). There are several ACLs that are all recording zero hits but I know for a fact that those are what are matching for them to get out.

Any thoughts would be appreciated!

Thanks,

Mike

1 Accepted Solution

Accepted Solutions

varrao
Level 10
Level 10

Hi Micheal,

Could you verify if you are able to see the hit count from the CLI, by doing "show access-list". This could be an issue with the ASDM itself, it may not able to calculate the MD5 hash value for the ACL.

Could youm also tell me if those particular ACL's contain any network object for protocol???

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

11 Replies 11

Pavel Pokorny
Level 1
Level 1

Hi,

I depends on purpose of ACL.

If is used for NAT, then no hits will show.

HTH

Pavel

Thanks for the response Pavel, but these are not being used to define a NAT. Any other situations that could reflect this?

Mike

Michael,

Are those ACL's poiting to the translated or to the realIP address?

Mike

Mike

Hi Mike,

Can you put the ACL here and tell me purpose?

If there are any groups (networks, services) please decode them.

Thanks

Pavel

Pavel,

One of them is for allowing VPN and SSH connections out:

9True172.20.0.0/255.255.0.0anyVPNAccess
tcp/ssh
Permit0Default Notes

The "VPNAccess" Service Group is grouping TCP/10000, UDP/4500, UDP/isakmp, and UDP/10000

varrao
Level 10
Level 10

Hi Micheal,

Could you verify if you are able to see the hit count from the CLI, by doing "show access-list". This could be an issue with the ASDM itself, it may not able to calculate the MD5 hash value for the ACL.

Could youm also tell me if those particular ACL's contain any network object for protocol???

Thanks,

Varun

Thanks,
Varun Rao

Varun,

Looks like you might have called it... CLI is showing hits while the ASDM is not. Any thoughts on how to resolve this?

access-list inside_access_in line 18 extended permit object-group DM_INLINE_SERVICE_19 object 172.20.0.0 any 0x6c207492

  access-list inside_access_in line 18 extended permit udp 172.20.0.0 255.255.0.0 any eq 4500 (hitcnt=118) 0xd4341637

  access-list inside_access_in line 18 extended permit udp 172.20.0.0 255.255.0.0 any eq isakmp (hitcnt=251) 0xd65313e6

  access-list inside_access_in line 18 extended permit tcp 172.20.0.0 255.255.0.0 any eq ssh (hitcnt=580) 0x6e035ce4

  access-list inside_access_in line 18 extended permit tcp 172.20.0.0 255.255.0.0 any eq 10000 (hitcnt=13) 0x2a249aa3

  access-list inside_access_in line 18 extended permit udp 172.20.0.0 255.255.0.0 any eq 10000 (hitcnt=8) 0xf7e045eb

Micheal,

In the ASDM under firewall dashboard, do you see a message for config out of sync? If yes,this might be a known issue withe ASA, my suggestions to you would be to open a TAC case for further investigation on it.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

Varun,

You're probably right.

I've seen this behaviour under different types os ASA code (8.2.4 ie) and also ASDM (6.3.x).

So, maybe TAC will help and devel update code of ASDM.

Bye

Pavel

Okay, makes sense, I'll open a ticket with Cisco. Thanks for the help guys.

Review Cisco Networking for a $25 gift card