Solved: Inconsistent ACL hits seen in syslog

Nasos Ergot · ‎09-20-2018

Hi,

Any idea why traffic destined to port 443 might be bypassing an ACL for that port and hitting an IP any/any ACL that's at the bottom of the list, at least according to syslog.

The ACLs:

access-list inside_access_in line 5 extended permit tcp 10.1.0.0 255.255.0.0 any4 object-group DM_INLINE_TCP_6 (https & https) log disable (hitcnt=2951027) 0xb0c12c26


access-list inside_access_in line 24 extended permit ip any4 any4 log informational interval 300 (hitcnt=295888) 0x2bc0c8ca

What i see in syslog:

12-09-2018 15:22:19 Local7.Info 10.1.1.232 %ASA-6-106100: access-list inside_access_in permitted tcp inside/10.1.2.91(52106) -> outside-WAN/52.114.76.35(443) hit-cnt 1 first hit [0xb0c12c26, 0x15b7e092]


12-09-2018 15:22:19 Local7.Info 10.1.1.232 %ASA-6-106100: access-list inside_access_in permitted udp inside/10.1.2.7(51150) -> outside-WAN/216.58.206.46(443) hit-cnt 1 first hit [0x2bc0c8ca, 0x00000000]

How reliable is the information coming from syslog?

Alex Pfeil · ‎09-20-2018

The second log showed udp.

12-09-2018 15:22:19 Local7.Info 10.1.1.232 %ASA-6-106100: access-list inside_access_in permitted udp inside/10.1.2.7(51150) -> outside-WAN/216.58.206.46(443) hit-cnt 1 first hit [0x2bc0c8ca, 0x00000000]

Please rate helpful posts.

View solution in original post

Alex Pfeil · ‎09-20-2018

The second log showed udp.

12-09-2018 15:22:19 Local7.Info 10.1.1.232 %ASA-6-106100: access-list inside_access_in permitted udp inside/10.1.2.7(51150) -> outside-WAN/216.58.206.46(443) hit-cnt 1 first hit [0x2bc0c8ca, 0x00000000]

Please rate helpful posts.

Kykeonas · ‎09-21-2018

You are absolutely right.

Nasos Ergot · ‎09-21-2018

Thanks.

I need glasses.