ASDM ACL zero hit count (hitcnt), show log right click, still buggy

will · ‎01-02-2015

there is tons of stuff out there about failing "show log" windows and ACL hitcounts=zero from within ASDM view of ACL's. A few issues are readily obvious:

1. need to enable info logging on the ACL itself (edit the ACL from within ASDM)

2. need to ensure logging is not disabled (no logging message 106100). if this command is in ASA, it will not log these messages. its common if you are using netflow to reduce logging to syslog and this line will take care of that. and the ASDM gives you an option to turn this on, so its an easy "mistake" to make.

Anyway, enough of the good, and here is the bad. I'm running ASA 9.2.3 and ASDM 7.1.3(101). you think that's new enough since its currently the latest release! :)

When I use the object convention to specific and ACL, such as this:

object network nSNi_LAN
subnet 192.168.255.0 255.255.255.0

and specify that in an ACL, the hit count doesn't change; and the show log option reveals nothing when activated.

If I instead change the object to and "object group," all works okay. For example, I have to take the above network object, and make it a network object group, as follows:

object-group network SNi_LAN
network-object object nSNi_LAN

Once I do that, and put it in the ACL, the hit counts start appearing and the show log option works. This is no error in the config and it makes it doubly complicated as I have to convert everything to an object group to get this functionality. What's up?

And by the way, saying that I should just use object groups is not the answer, as each object in the object group shows up as an unlabeled item in ASDM. so I feel compelled to label it twice.

any hints would be great. anyone else hitting this problem?

thx,

W

Vibhor Amrodia · ‎01-03-2015

Hi,

Are you only facing this issue with the Objects that are being used in the ACL and not with the Object-group ?

If yes , can you get this output:-

for a specific ACE that is not showing Hit Counts , collect this output:-

1) On the ASA , show access-list <acl name> output for the acl which is showing the issue

2) On the ASDM , Right Click on the rule which is not showing the Hit Counts and select , show log.. This will auto fill a filter which is the HASH value. Collect that for the same ACE in the 1) case.

Thanks and Regards,

Vibhor Amrodia

will · ‎01-03-2015

UPDATE: I reworked all the objects to be object groups. This made things work. Then out of a whim, I reconfigured some of the ACE lines in ACL to use the original _object_, rather than object group. And now its working again! I can see hit counts in ASDM. and I can see the log entries when I right click | show log, on an ACE in ASDM. this is kind of weird! not exactly sure if this is reliable.

UPDATE2 (insanity part 2): after realizing this might actually work with just _objects_, (not object groups), I removed the extraneous object groups from the configuration to get it back to the minimalist config (objects + object groups when necessary). Well this worked for a while, then for some reason quit working again (both hit counts and show log from right click ACE in ASDM)!! ASDM had been open for a long time, so I closed and re-opened ASDM. this didn't fix the problem. So I then closed ASDM, rebooted the firewall and re-opened ASDM and its now working again - with just the _objects_ configured. This is a bit annoying.

If any TAC guys read this, it might be time to investigate and possibly open a bug! I'm using Java RE 1.7.0.71 (Windows 7 64-bit OS, with both 64- and 32-bit java RE installed.

Vibhor Amrodia · ‎01-04-2015

Hi,

When you say modifying the objects , do you rename the objects ?

Can you be a bit more specific about the exact changes that you make on the ASA device or the object configuration.

Thanks and Regards,

Vibhor Amrodia

will · ‎01-04-2015

Here, here is a summary of how I reworked the object and object groups:

1. had objects + minimal object groups. noticed the problem.

2. added an object group for each object in a ACE (so I could use the object).

I then applied the object group to the ACE's (instead of the object). this solved problem (or so it seemed after I configured object groups in the ACE's)

3. got more confidence, so I then replaced the object groups with the original objects - in the ACE's/ACL's. in doing so I deleted the unnecessary objects to get back to step 1.

hope that helps. I think this is some sort fo ASDM timeout thing where ASDM either gets disconnected or timeouts after a long period of being open. my current SSH/HTTP timeout = 60 minutes on the ASA. after reboot ASA, and re-open ASDM, it seems like the show log and hit counts work again.

thx for taking a look!

Will