cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2139
Views
0
Helpful
3
Replies

asdm hits not being displayed

rishi.sumbal
Level 1
Level 1

Hi,

We have 2 pairs of FWSM, both have 4.0.8 and ASDM 6.1.5F, both are single routed. In one case, we're able to see the Hits in ASDM, in the other one not.

The only difference I see is that ACL optimization is enabled in one case. Does/did anybody have this effect too?

Thanks and Regards

Rishi

3 Replies 3

rishi.sumbal
Level 1
Level 1

One precision : where it doesn't work, we just can't see anything under 'Hits', its not grayed out or 0

being displayed.

Rishi

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi Rishi,

ACL Optimizer is to minimize the number of ACEs in an ACL and are you saying you are not seeing any hits in configured rule base via ASDM,If yes then in order to view how many packets have moved via a certain ACL you need to configure logging message for that rule to informational to see what is passing through the rule.

The number of hits in the rule is dynamically updated depending on the frequency set in the Preferences dialog box. Hit counts are applicable for explicit rules only. No hit count will be displayed for implicit rules in the Access Rules table.

Hope to help

If helpful do rate the post

Ganesh.H

zsumaccs01
Level 1
Level 1

Hi!

If I clearly understand (my english is not the best), I have the same problem.

Maybe our access-lists are to long, to much. I have 3 countext, 2 of them shows good the hitcnt in ASDM (more less access-lists) and 1 of them worked well, but I just increased the rules, and suddenly not being displayed.

I found this:

source: http://www.cisco.com/en/US/products/ps6121/products_tech_note09186a0080aaeff5.shtml

Problem: Unable to view access list hit count entry on ASDM

The Hit Counter of ASDM does not display a value, including zero (0).

Solution

ASDM always sends a request for all ACLs in one HTTP server request string to the FWSM. The FWSM device is unable to handle the super long request to its HTTPS server from the ASDM, runs out of buffer space, and finally drops the request. When you have too many access lists, the request from ASDM to the FWSM becomes too long for the FWSM to process. As a result, it does not get the correct response. This is an expected behavior with the functionality of ASDM and the FWSM. Bugs CSCta01974 (registered customers only) and CSCsz14320(registered customers only) have been filed to address this behavior with no known workaround. A temporary workaround is to use the CLI to monitor the ACL hits.

There are several other bugs filed to address this issue which are superseded by another bug, CSCsl15055 (registered customers only) . This bug shows that the issue is fixed in 6.1(1.54). For the FWSM, the fixed ASDM version is 6.2.1F. The issue has been fixed by tweaking how the ASDM queries the FWSM for the ACL information. Instead of sending one big, long request string that contains all the access list information, the ASDM now splits them into multiple meaningful requests and sends to the FWSM for processing.

Note: The access list hit count entry on the FWSM is supported from version 4.0 onwards.

Sue V.

Review Cisco Networking for a $25 gift card