You ask what seems to be a simple question: "So what is an ACL match?". The simple answer is that each statement in an acl defines a condition and then evaluates packets against the defined condition. A match occurs when the results of the evaluation are "true".

It seems that what you are really interested in is why do results at one end not match the results at the other end. And there might be multiple reasons for that:

- are you really measuring the same thing at both ends. What you describe seems to suggest a packet capture at one end and evaluating using an acl at the other end. When we measure differently it is quite possible that we will get different results.

- the acl would be evaluating IP packets. But is it possible that some of what the PA has in its capture are not IP (perhaps spanning tree, or perhaps some type of keep alive, or something else)?

- the capture at the PA sees everything going out the interface. Is it possible that some things going through the PA interface are not intended for your router? Perhaps it is running some link monitoring protocol? Perhaps it runs a routing protocol with its ISP device? Perhaps it is sending traffic to more destinations than just your router?

- if the traffic being sent from PA uses TCP transport there is the possibility of timeout and retransmission. Your acl would see 1 tcp packet but there might have been multiple retransmissions at the PA.

- depending on the platform the match count displayed when you do show access-list might not be accurate. Especially for platforms which support distributed processing the hit count displayed in show access-list might reflect only packets sent to the CPU for processing and not the packets processed by the line card.