Solved: ASR 1001HX doesn't show ACL counters

gnijs · ‎04-26-2018

Hello,

We have deployed a 1001HX running Denali Version 16.03.06.

We have configured ACL inbound on two interfaces: TenGigabitEthernet0/1/1 and Gi0/0/0

However, the ACL on Gi0/0/0 doesn't show any hit counters:

R#show ip access-lists 105
Extended IP access list 105

190 permit udp any eq domain any
200 permit tcp any any gt 1024 established

1790 permit object-group IPSEC-OBJ host X.X.X.X host Z.Z.Z.Z
1800 permit object-group IPSEC-OBJ host Y.Y.Y.Y host Z.Z.Z.Z

The ACL deployed on the Te0/1/1 interface show permit hit counters:

R#sh ip access-lists 111
Extended IP access list 111
20 permit ip 10.0.0.0 0.255.255.255 any (3383382 matches)

Both are deployed inbound.

Could it be that i don't see hit counters on ACL105 because it contains object-groups ??

How to see hits in ACLs that contain object groups ??

regards,

Geert

gnijs · ‎04-26-2018

Strange. When i configured "service internal", and did "show ip acces list 105 expand", i got the following:

Object groups are not expanded yet.

Object groups expansion happens upon exiting from ACL configuration submode.

After

conf t
ip access-list ext 105
exit
exit

it works like it should.....

giving statistics even in normal view:

190 permit udp any eq domain any (1401 matches)
200 permit tcp any any gt 1024 established (12942158 matches)

gnijs · ‎04-26-2018

mmm found this:

gnijs · ‎04-26-2018