cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8683
Views
35
Helpful
10
Replies

ACL counters not incrementing on ISR 4300

Justin Reeve
Level 1
Level 1

Hi,

 I have a Cisco ISR 4300 running isr4300-universalk9.03.13.01.S.154-3.S1-ext.SPA.bin. We can see the counters (pkts output/bytes output) for the class-map incrementing but not in the actual ACL. Is this because your unable to see Matches against ACL bound to Class-maps as per CSCtj33068  ? 

 

MY-ISR#show ip access-lists MULTIMEDIA
Extended IP access list MULTIMEDIA
    10 permit ip 10.58.0.0 0.0.255.255 62.109.192.0 0.0.63.255
    20 permit ip 10.58.0.0 0.0.255.255 64.68.96.0 0.0.31.255
    30 permit ip 10.58.0.0 0.0.255.255 66.114.160.0 0.0.15.255
    40 permit ip 10.58.0.0 0.0.255.255 66.163.32.0 0.0.15.255
    50 permit ip 10.58.0.0 0.0.255.255 66.163.46.0 0.0.1.255
    60 permit ip 10.58.0.0 0.0.255.255 114.29.192.0 0.0.31.255
    70 permit ip 10.58.0.0 0.0.255.255 173.243.0.0 0.0.15.255
    80 permit ip 10.58.0.0 0.0.255.255 208.8.81.0 0.0.0.255
    90 permit ip 10.58.0.0 0.0.255.255 209.197.192.0 0.0.31.255
    100 permit ip 10.58.0.0 0.0.255.255 210.4.192.0 0.0.15.255
    110 permit ip 10.206.58.0 0.0.0.255 62.109.192.0 0.0.63.255
    120 permit ip 10.206.58.0 0.0.0.255 64.68.96.0 0.0.31.255
    130 permit ip 10.206.58.0 0.0.0.255 66.114.160.0 0.0.15.255
    140 permit ip 10.206.58.0 0.0.0.255 66.163.32.0 0.0.15.255
    150 permit ip 10.206.58.0 0.0.0.255 66.163.46.0 0.0.1.255
    160 permit ip 10.206.58.0 0.0.0.255 114.29.192.0 0.0.31.255
    170 permit ip 10.206.58.0 0.0.0.255 173.243.0.0 0.0.15.255
    180 permit ip 10.206.58.0 0.0.0.255 208.8.81.0 0.0.0.255
    190 permit ip 10.206.58.0 0.0.0.255 209.197.192.0 0.0.31.255
    200 permit ip 10.206.58.0 0.0.0.255 210.4.192.0 0.0.15.255

MY-ISR$-map interface gig0/0/0.4094 output class MULTIMEDIA
 GigabitEthernet0/0/0.4094
 
  Service-policy output: CIRCUIT_POLICY


      Match: access-group name MULTIMEDIA
          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 176233/94492816

Thanks

J

 

10 Replies 10

TDF
Level 1
Level 1

Frustrating isn't it?

I opened a case for this and was provided the following solution which worked for me.

1)      Remove/detach ALL QoS service policies from ALL targets.

2)      Re-apply the counter configuration commands: (regardless, even if they were already run)

             platform qos match-statistics per-filter

             platform qos match-statistics per-ace

3)      Re-attach the QoS service policies.

# show ip access-lists

 

Hope that helps.

(I am back on the forums because the counters for my ACL used for wccp redirect are not working)

-T

Hi guys,

Did you ever manage to fix this issue? I'm using ACLs for PBR and also I don't see any packets matching the ACL statements however the PBR is working fine.

Anothe issue is that I don't get any console output or logging for "debug ip policy", looks like it's not working.

Thanks in advance.

Remi

I still cannot see packet counts.  As I understand, since the packet processing now occurs in Hardware, the counters are never incremented as the are not flowing through as they use to.  I think it was mentioned that you could issue no ip cef  temporarily to see the flows but I did not try this.   Sorry - no good news here.

- Tony

Thanks Tony, there is sense in what you're mentioning. I will try to open a case with Cisco.

Meantime I tried disabling the cef and no joy on this platform:

wan-rtr1(config)#no ip cef distributed
%Cannot disable CEF on this platform

Regards,

Remi

rather than disabling the CEF globally, try using no ip route-cache cef on the interface for which you want to disable cef.

A quick note here, ACL counters on nat enabled interface or QoS is not supported.. The CSCtj33068 (ACL counters for QoS) seems to be valid in this case.

If there is a feature requirement, you can open a case with Cisco and request for feature enhancement.

Hope this answers your questions.

Regards

Vinit

Thanks
--Vinit

Hi Vinit,

Thanks for the explanation. I will open a case with Cisco because I have the same setup in my lab but with ISR 1921 G2 and I see the ACL counters works fine when attached to PBR as well as I get the output for "debug ip policy", not sure why it is not working on ISR 4331, because here we have IOS XE?

Thanks!

Hello Remi

Both ISR-G2 and ISR 4400's have a different architecture and moreover different Code base. ISR-G2 runs on IOS where as 4400's run on IOS XE. the ACL, QOS, Nat like features have hardware dependency which is not the case on ISR-G2.

Hope this helps.

Regards

Vinit

PS: Please rate useful posts.

Thanks
--Vinit

Hi Justin,

Do you get it fixed ??

I have just upgraded from 2900 to 4300 with firmware 

isr4300-universalk9.03.13.05.S.154-3.S5-ext.SPA.bin"

and have the same problem 

Regards,

Niels-Peter

Use these statements:

platform qos marker-statistics
platform qos match-statistics per-filter
platform qos match-statistics per-ace
platform qos performance-monitor
platform qos optimize-rate-ratios

 

Then reboot.

jelloir
Level 1
Level 1
platform inspect match-statistics per-filter

You will need to reload or re-apply polices - it warns you as such.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: