Solved: Re: ASA 5520 ACL Counters not Incrementing

Michael All · ‎05-04-2011

Hello everyone:

Has anyone seen an ASA not record hit against an ACL? I have two 5520s in a Primary/Secondary configuration, versions 8.4(1) and ASDM 6.4(1). There are several ACLs that are all recording zero hits but I know for a fact that those are what are matching for them to get out.

Any thoughts would be appreciated!

Thanks,

Mike

varrao · ‎05-05-2011

Hi Micheal,

Could you verify if you are able to see the hit count from the CLI, by doing "show access-list". This could be an issue with the ASDM itself, it may not able to calculate the MD5 hash value for the ACL.

Could youm also tell me if those particular ACL's contain any network object for protocol???

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Pavel Pokorny · ‎05-04-2011

Hi,

I depends on purpose of ACL.

If is used for NAT, then no hits will show.

HTH

Pavel

Michael All · ‎05-05-2011

Thanks for the response Pavel, but these are not being used to define a NAT. Any other situations that could reflect this?

Mike

Maykol Rojas · ‎05-05-2011

Michael,

Are those ACL's poiting to the translated or to the realIP address?

Mike

Pavel Pokorny · ‎05-05-2011

Hi Mike,

Can you put the ACL here and tell me purpose?

If there are any groups (networks, services) please decode them.

Thanks

Pavel

Michael All · ‎05-09-2011

Pavel,

One of them is for allowing VPN and SSH connections out:

9

True

172.20.0.0/255.255.0.0

any

VPNAccess
tcp/ssh

Permit

0

Default

Notes

The "VPNAccess" Service Group is grouping TCP/10000, UDP/4500, UDP/isakmp, and UDP/10000

varrao · ‎05-05-2011

Hi Micheal,

Could you verify if you are able to see the hit count from the CLI, by doing "show access-list". This could be an issue with the ASDM itself, it may not able to calculate the MD5 hash value for the ACL.

Could youm also tell me if those particular ACL's contain any network object for protocol???

Thanks,

Varun

Thanks,
Varun Rao

Michael All · ‎05-09-2011

Varun,

Looks like you might have called it... CLI is showing hits while the ASDM is not. Any thoughts on how to resolve this?

access-list inside_access_in line 18 extended permit object-group DM_INLINE_SERVICE_19 object 172.20.0.0 any 0x6c207492

access-list inside_access_in line 18 extended permit udp 172.20.0.0 255.255.0.0 any eq 4500 (hitcnt=118) 0xd4341637

access-list inside_access_in line 18 extended permit udp 172.20.0.0 255.255.0.0 any eq isakmp (hitcnt=251) 0xd65313e6

access-list inside_access_in line 18 extended permit tcp 172.20.0.0 255.255.0.0 any eq ssh (hitcnt=580) 0x6e035ce4

access-list inside_access_in line 18 extended permit tcp 172.20.0.0 255.255.0.0 any eq 10000 (hitcnt=13) 0x2a249aa3

access-list inside_access_in line 18 extended permit udp 172.20.0.0 255.255.0.0 any eq 10000 (hitcnt=8) 0xf7e045eb

varrao · ‎05-09-2011

Micheal,

In the ASDM under firewall dashboard, do you see a message for config out of sync? If yes,this might be a known issue withe ASA, my suggestions to you would be to open a TAC case for further investigation on it.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

Pavel Pokorny · ‎05-09-2011

Varun,

You're probably right.

I've seen this behaviour under different types os ASA code (8.2.4 ie) and also ASDM (6.3.x).

So, maybe TAC will help and devel update code of ASDM.

Bye

Pavel

Michael All · ‎05-09-2011

Okay, makes sense, I'll open a ticket with Cisco. Thanks for the help guys.

Maykol Rojas · ‎05-17-2011

Hi,

Here is the bug

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl99214

Cheers.

Mike