cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
708
Views
0
Helpful
1
Replies

how does a cisco asa increment an acl's hit counts in aces using object-groups vs. the expanded ace entries?

Cody Hartley
Beginner
Beginner

I have a cicso asa 5510 running ASA version 9.1(4) and the following ACE when expanded shows a "0 hit count" acl line that is expanded to ace's that have hit counts. Is this a bug???

access-list outside_acl line 1 extended permit object-group OG-SIP_SVCS 1.1.1.1 255.255.255.255 object obj-inside-ip (hitcnt=0) 0x0fb61f6b 
  access-list outside_acl line 1 extended permit tcp 1.1.1.1 255.255.255.255 host 192.168.1.1 eq sip (hitcnt=0) 0x5f1e7341 
  access-list outside_acl line 1 extended permit udp 1.1.1.1 255.255.255.255 host 192.168.1.1 eq sip (hitcnt=3459) 0x80891f5c 
  access-list outside_acl line 1 extended permit tcp 1.1.1.1 255.255.255.255 host 192.168.1.1 eq 5061 (hitcnt=0) 0x16e45ad0 

 

 

1 Reply 1

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

I would consider that a bug. On my ACLs I often see the hitcount of the first line as the overall hitcount, but sometimes it doesn't match at all. So it's best to only look at the individual ACE-counters.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers