cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3257
Views
0
Helpful
19
Replies

Hits seen in Top 10 Access Rules but not in CLI

saabqmacs
Level 1
Level 1

ASA Version: 8.2(2)

ASDM Version: 6.2(5)

Device Type ASA 5510

I see hits in the "Top 10 Access Rules" but see nothing in the "Access Rules" page and the CLI. Does this look like a bug or am I missing something? Thanks in advance!

Top 10 Access rules show hits. For e.g. Rule 177, 189, and 190.

img1.png

The Access Rules page in ASDM does not show any hits but has "Top 10" marked.

img2.png

The CLI shows no hits for rule 177:

MyASA# show access-list | include 177

access-list outside_access_in line 177 extended permit object-group TCPUDP object-group MyName object-group ActiveDirectoryServers object-group ActiveDirectory 0x0a4449d8

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 389 (hitcnt=0) 0xa44bd570

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 445 (hitcnt=0) 0x4c0d225b

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 88 (hitcnt=0) 0xda11f206

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq domain (hitcnt=0) 0xadb35eeb

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq ntp (hitcnt=0) 0x54e1942c

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 3268 (hitcnt=0) 0x4815484d

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 135 (hitcnt=0) 0x4ee5e504

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 1025 1026 (hitcnt=0) 0x78c1a00a

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq www (hitcnt=0) 0x547c7f3f

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 139 (hitcnt=0) 0x675a8434

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 49152 49200 (hitcnt=0) 0x041ee127

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq ldap (hitcnt=0) 0xefd4becb

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 445 (hitcnt=0) 0x22c6df99

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 88 (hitcnt=0) 0x6c69d270

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq domain (hitcnt=0) 0x958ad172

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 123 (hitcnt=0) 0x004630da

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 3268 (hitcnt=0) 0x3b13d00e

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 135 (hitcnt=0) 0x98307d89

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 1025 1026 (hitcnt=0) 0xd1d12d12

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq www (hitcnt=0) 0x46d6d2ed

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq netbios-ssn (hitcnt=0) 0x20a6e7bf

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 49152 49200 (hitcnt=0) 0x15dbf9ad

19 Replies 19

This does sound a lot like a bug, though I have not been able to find any bug reports about it.  If it is an option, try upgrading the ASA and ASDM to a slightly newer version.

--
Please remember to select a correct answer and rate helpful posts

Were you able to upgrade the ASA and ASDM? did this solve the issue?

Please rate any helpful posts.

--
Please remember to select a correct answer and rate helpful posts

https://tools.cisco.com/bugsearch/bug/CSCtj67289/?reffering_site=dumpcr

Please update your ASDM version to 7.1.4

Value our effort and rate the assistance!

Please rate the assistance

Value our effort and rate the assistance!

Do you still require assistance with this ticket?  If not please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

Help is for free then we need you to rate the assistance.

Value our effort and rate the assistance!

jumora
Level 7
Level 7

Help is for free but we need you to rate the assistance.

Value our effort and rate the assistance!

Hello. My apologies for the delay. I was off work for a few days. Just got back into the office today. Please give me some time to read/research the replies. I will add my ratings.

Bug CSCsl30904 matches up with what I see.

Bug CSCtj67289 does not match up with my issue.

I will install the new ASDM 7.1.4 in the next few days and provide an update.

Bug CSCsl30904 shows Known Fixed Releases: 6.0(3.50) and 6.1(0.35). I am on ASA Version: 8.2(2) and ASDM Version: 6.2(5).

I will upgrade the ASDM version to 7.1.4, but I think this requires an ASA upgrade to truly fix, as I am seeing the same zero counters in the CLI.

Let us know how it goes,

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

saabqmacs
Level 1
Level 1

This functionality is still broken in ASA 8.3(2) and ASDM 7.1(4). The Access Rules hits are still showing 0, but the Top 10 shows valid hits. The CLI also shows 0 hits.

http://i.imgur.com/aIrBJuB.png

http://i.imgur.com/7WNNGUb.png

access-list outside_access_in line 29 extended permit ip object-group SaabTestASA object-group Q-LAN 0x5cc09292

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.100.0.0 255.255.0.0 (hitcnt=0) 0x688c7eb7

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 172.20.1.0 255.255.255.0 (hitcnt=0) 0x0e1cdb8a

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.40.40.0 255.255.255.0 (hitcnt=0) 0x32c8018e

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.130.0.0 255.255.0.0 (hitcnt=0) 0xdc32b863

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.140.0.0 255.255.0.0 (hitcnt=0) 0x88bbd947

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.150.0.0 255.255.0.0 (hitcnt=0) 0x1c21f374

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 172.16.125.0 255.255.255.0 (hitcnt=0) 0x5cc1b4df

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 130.94.124.0 255.255.255.192 (hitcnt=0) 0xf60a4f68

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.120.0.0 255.255.0.0 (hitcnt=0) 0x9af079b2

saabqmacs
Level 1
Level 1

I will proceed to try 8.4 and 9.1 in th next few days or weeks. Hopefully the newer releases give me better results.

Happy Holidays to everyone!

Review Cisco Networking for a $25 gift card