Hits seen in Top 10 Access Rules but not in CLI - Page 2

saabqmacs · ‎11-08-2013

ASA Version: 8.2(2)

ASDM Version: 6.2(5)

Device Type ASA 5510

I see hits in the "Top 10 Access Rules" but see nothing in the "Access Rules" page and the CLI. Does this look like a bug or am I missing something? Thanks in advance!

Top 10 Access rules show hits. For e.g. Rule 177, 189, and 190.

The Access Rules page in ASDM does not show any hits but has "Top 10" marked.

The CLI shows no hits for rule 177:

MyASA# show access-list | include 177

access-list outside_access_in line 177 extended permit object-group TCPUDP object-group MyName object-group ActiveDirectoryServers object-group ActiveDirectory 0x0a4449d8

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 389 (hitcnt=0) 0xa44bd570

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 445 (hitcnt=0) 0x4c0d225b

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 88 (hitcnt=0) 0xda11f206

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq domain (hitcnt=0) 0xadb35eeb

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq ntp (hitcnt=0) 0x54e1942c

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 3268 (hitcnt=0) 0x4815484d

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 135 (hitcnt=0) 0x4ee5e504

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 1025 1026 (hitcnt=0) 0x78c1a00a

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq www (hitcnt=0) 0x547c7f3f

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 139 (hitcnt=0) 0x675a8434

access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 49152 49200 (hitcnt=0) 0x041ee127

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq ldap (hitcnt=0) 0xefd4becb

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 445 (hitcnt=0) 0x22c6df99

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 88 (hitcnt=0) 0x6c69d270

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq domain (hitcnt=0) 0x958ad172

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 123 (hitcnt=0) 0x004630da

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 3268 (hitcnt=0) 0x3b13d00e

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 135 (hitcnt=0) 0x98307d89

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 1025 1026 (hitcnt=0) 0xd1d12d12

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq www (hitcnt=0) 0x46d6d2ed

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq netbios-ssn (hitcnt=0) 0x20a6e7bf

access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 49152 49200 (hitcnt=0) 0x15dbf9ad

Julio Carvajal · ‎12-20-2013

Please avoid the 8.3 track ( That's really buggy).

Let us know the result while being on 8.4 or 9.

Any questions you have contact me directly at julio17carvajal@hotmail.com.

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

saabqmacs · ‎01-02-2014

This functionality is still broken in ASA 8.4(7) and ASDM 7.1(4).

# show access-list | include access-list outside_access_in line 29

access-list outside_access_in line 29 extended permit ip object-group SaabTestASA object-group Q-LAN 0x5cc09292

access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.100.0.0 255.255.0.0 (hitcnt=0) 0x688c7eb7

access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 172.20.1.0 255.255.255.0 (hitcnt=0) 0x0e1cdb8a

access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.40.40.0 255.255.255.0 (hitcnt=0) 0x32c8018e

access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.130.0.0 255.255.0.0 (hitcnt=0) 0xdc32b863

access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.140.0.0 255.255.0.0 (hitcnt=0) 0x88bbd947

access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.150.0.0 255.255.0.0 (hitcnt=0) 0x1c21f374

access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 172.16.125.0 255.255.255.0 (hitcnt=0) 0x5cc1b4df

access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 130.94.124.0 255.255.255.192 (hitcnt=0) 0xf60a4f68

access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.120.0.0 255.255.0.0 (hitcnt=0) 0x9af079b2

saabqmacs · ‎01-02-2014

I wil try 9.x next week. Hopefully it gives better results.

saabqmacs · ‎01-23-2014

This functionality is still broken in ASA 9.1(3) and ASDM 7.1(5)100. The Top 10 Access Rules shows a hit count, but the Firewall Access Rules still show a 0 hit count (even though the Top 10 is marked in red). The CLI shows the same thing.

(config)# show access-list | include access-list outside_access_in line 29

access-list outside_access_in line 29 extended permit ip object-group SaabTestASA object-group Q-LAN (hitcnt=0) 0x5cc09292