Solved: ACL counters issue

Vyacheslav_Maliev · ‎04-03-2012

Hi!

I have 2911 router with 15.0 IOS + security + data. The problem is in ACL hit logging. Even if i applied statement "permit ip any any log" on the interface, counters would not match anything.

Vasileios Bouloukos MSc, ITIL, CCIE · ‎04-03-2012

Hi,

Did you search for the possibiltiy of a bug?

I have involved to a problem with an Access-list that denied all and was solved with a new IOS

https://supportforums.cisco.com/message/3591511#3591511

Hope that helps,

Vasilis

View solution in original post

Edison Ortiz · ‎04-03-2012

Can you provide configs and example of exactly what you are seeing?

Vyacheslav_Maliev · ‎04-03-2012

Yes, here you are:

interface GigabitEthernet0/0

ip address 172.16.1.1 255.255.255.252

ip access-group test_acl in

ip flow ingress

ip flow egress

duplex auto

speed auto

ip access-list extended test_acl

permit ip any any log

i am seeing:

#show interfaces gigabitEthernet 0/0

GigabitEthernet0/0 is up, line protocol is up

Hardware is CN Gigabit Ethernet, address is c471.fec5.89f8 (bia c471.fec5.89f8)

Internet address is 172.16.1.1/30

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full Duplex, 100Mbps, media type is RJ45

output flow-control is XON, input flow-control is XON

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:10, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 35

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 186000 bits/sec, 10 packets/sec

5 minute output rate 27000 bits/sec, 14 packets/sec

418641389 packets input, 3158351856 bytes, 0 no buffer

Received 69630 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 66277 multicast, 0 pause input

439197818 packets output, 803260124 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

2 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

#sh ip access-lists

Standard IP access list RADMIN

10 permit 172.16.2.0, wildcard bits 0.0.0.255 (12 matches)

Extended IP access list test_acl

10 permit ip any any log

Edison Ortiz · ‎04-03-2012

Unable to duplicate:

System image file is "flash0:c2900-universalk9-mz.SPA.151-1.T.bin"

ip access-list extended acl-in

permit ip any any log

interface GigabitEthernet0/0

ip address 100.1.13.200 255.255.255.0

ip access-group acl-in in

duplex auto

speed auto

Router#ping 100.1.13.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.1.13.200, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Router#

%SEC-6-IPACCESSLOGDP: list acl-in permitted icmp 100.1.13.250 -> 100.1.13.200 (0/0), 1 packet

Extended IP access list acl-in

10 permit ip any any log (9 matches)

Vasileios Bouloukos MSc, ITIL, CCIE · ‎04-03-2012

Hi,

Did you search for the possibiltiy of a bug?

I have involved to a problem with an Access-list that denied all and was solved with a new IOS

https://supportforums.cisco.com/message/3591511#3591511

Hope that helps,

Vasilis

Vyacheslav_Maliev · ‎04-04-2012

I am suspecting IP CEF enabled globally

Peter Paluch · ‎04-04-2012

Hi Vyacheslav,

IP CEF is activated globally by default indeed, but on ISR and ISR G2 routers, CEF is purely software-based. Counters on ACLs are not incremented if they are processed in hardware, which should not be the case here.

Best regards,

Peter

ACL counters issue

standard acl issue

Memory issue summary

ACL Issues with denying traffic

Re: Access Control Lists (ACL) Explained

C9500-48Y4C - ACL counters