Solved: Re: ASDM may show no ACL hitcounts for active access-lists

zac.quinn · ‎07-08-2010

Hi everyone,

I hoping someone may be able to help with a frustrating issue.

We have a pair of ASA's with IPS modules & we are running ASA software 8.3.1 and ASDM 6.3.1. The problem I am seeing is that ASDM is showing a zero hit count for active rules.

Using the log viewer there are hits that should be matching the rules and if I issue the show access-list command for the list the hit counts are incrementing correctly. Also if I disable the rules in the firewall config screen the traffic is then blocked so I know the rule's active but the hit count remains stubbornly '0'.

When I try to view the rule from the syslog viewer line by right clicking and selecting 'Show Access Rule' I get an error message about not being able to find the rule 'The hash code that identifies the rule can not be found'. If I right click the rule on the firewall config page and select 'show log' the filter that's created uses a different hash code to that shown in the CLI for the access list entry. If I search the CLI output for the hash code ASDM uses it doesn't exist.

I there anyway of refreshing the hash codes in ASDM? I've tried clearing the cache and reload ASDM on my PC but to no avail. There are several rules displaying this behaviour and means we have to trawl through hundreds of lines of 'show access-list' output to find any obsolete rules or troubleshoot as we can't rely on the ASDM hit count.

The only references to this I can find on the Cisco website are for CSCsl15055 which is a 'resolved caveat' and only applies to ASDM 6.0.2 which we don't have.

Thanks in advance,

Zac

Kevin Redmon · ‎07-08-2010

Zac,

You may be hitting bug ID CSCtg95077. You can reference the details of this bug here:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Seemingly, this bug should be resolved in 8.3(1)8. Let me know if this is indeed a match and mark this post as answered.

Hope this helps!

Best Regards,

Kevin

View solution in original post

Kevin Redmon · ‎07-08-2010

Zac,

You may be hitting bug ID CSCtg95077. You can reference the details of this bug here:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Seemingly, this bug should be resolved in 8.3(1)8. Let me know if this is indeed a match and mark this post as answered.

Hope this helps!

Best Regards,

Kevin

zac.quinn · ‎07-09-2010

Many thanks Kevin. It would appear to be a match so lets hope it is fixed in 8.3(1)8.

Zac

russellmiles64 · ‎01-03-2011

I seem to be having the same problem. The bug ID you mentioned claims to be fixed in 8.3(2), which is the ASA version I'm using along with ASDM 6.3(4). Also, I'm seeing many hit counts sitting at zero (that I know should be increasing), but there are just as many that are incrementing as expected. Any ideas? Thanks.

Jigar Dave · ‎01-03-2011

"I seem to be having the same problem. The bug ID you mentioned claims to be fixed in 8.3(2), which is the ASA version I'm using along with ASDM 6.3(4). Also, I'm seeing many hit counts sitting at zero (that I know should be increasing), but there are just as many that are incrementing as expected. Any ideas? Thanks."

Hello Russell,

I have faced similar problem in past, what I did is, I deleted the access line rule for which I am not getting any hit counts, and below to that I created new access rule and enabled logging on that. after rule push, it apprears that I can see hitting counter increment.

can you perform same step and let us know your results?

- Jigar

russellmiles64 · ‎01-05-2011

Yes, deleteing and re-creating the rule causes the hit count to function properly.

zac.quinn · ‎01-04-2011

We upgraded to 8.3(2) & ASDM 6.3(3) and the issue was solved. We haven't tried ASDM 6.3(4) so can't comment on that but I have noticed that 6.3(5) is now available