You are right that only the

matty-boy · ‎02-22-2017

Hi,

I have a pair of ASA5525-X firewalls configured as an active/standby cluster. Single context routed mode.

I recently did an zero downtime IOS upgrade [ from Version 9.5(2) to 9.5(2)5 ] where I reloaded them one at a time to maintain traffic flow through the cluster.

Output of show ver is now:-

###########

MyFirewall up 15 days 21 hours

failover cluster up 217 days 15 hours

###########

So obviously the uptime of each individual FW is only the time since it was last rebooted - 15 days.

The cluster uptime is much longer - 217 days.

So my question is about the ACL hitcnt statistics when you run the show access-list command....

###########

access-list INSIDE-IN line 123 extended permit tcp host x.x.x.x host y.y.y.y eq 80 (hitcnt=456) 0x0ab1c23d

###########

Are these stats since the individual FW was rebooted?

Or are they valid for as long as the cluster has been up?

As the stats differ greatly between the active FW and the standby FW (and the fact that they do not match) I think I've answered my own question and the stats only persist on a per individual FW basis since the last reboot (so the stats are only 15 days old), but I just wanted to run the question past you guys in case there is a way to get longer term stats.

Is there another way to get longer term stats?

Thanks in advance!

Matt.

Rahul Govindan · ‎02-22-2017

You are right that only the active ASA increases the hitcounts. During the zero downtime upgrade, secondary ASA becomes active for a period of time, which might have caused the hitcounts on that unit.

Longer term stats might be obtainable by using periodic SNMP polling, as ASA hitcounts wont stay beyond a reload.

ASA 5525 hitcnt=X << does it persists across cluster reboots?