cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2014
Views
5
Helpful
4
Replies

ASA acl rule hit count no increase for a while, show connection get nothing

zhaochunhong
Beginner
Beginner

We worked on cleanup firewall rules on ASA, some acl rules no hit increased over months and show connection also get none, but when we removed the rules impact and caused incident and found most rules related to ssh. any reason can cause it and what's the cleanup steps besides compare hit count and show connection can avoid the impact?

e.g. our rule: 

access-list PRD-FF_IN line 464 extended permit tcp host 10.1.75.169 host 52.1.88.135 eq ssh log informational interval 300 (hitcnt=1)
1 ACCEPTED SOLUTION

Accepted Solutions

ASA cluster reason, all traffic on other node of Cluster. 

View solution in original post

4 REPLIES 4

Tyson Joachims
Rising star
Rising star

Aside from looking at the ACL hits, you could analyze packet captures. Look at source and destination IP addresses and port numbers. It might be pretty tedious but you would be able to see all the traffic traversing the ASA even if that traffic doesn't show as a hit on any ACL rule. Then once you've identified the traffic that should be allowed, tailor your ACL rules accordingly.

zhaochunhong
Beginner
Beginner

thanks, capture is good idea, more reliable then show connection, the weird is the hit count how come didn't increase 

ASA cluster reason, all traffic on other node of Cluster. 

this command: cluster exec show access-list 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: