Hi there, You are missing a forward slash. The correct structure is: https://api.cisco.com/security/advisories/product/?product=Cisco Email Security Appliance (ESA) cheers, Seb.   ... View more

Correct. Each flow is evaluated by the hashing algorithm as it is about to be forwarded over the etherchannel. It will continue to use that member link for the duration of the flow. It is quite likely that in a production network you will never achieve perfect load-balancing across member links.   cheers, Seb. ... View more

Hi there, If you do not have the log option at the end of an ACE, then in the event of it being a deny ACE it will generate a code 106023 message, the format of this message contains the string by access-group:   Apr 15 09:36:50: %ASA-4-106023: Deny tcp src dmz:X.X.X.30/63016 dst outside:X.X.X.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0]   https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_6482625   If you specify the log option at the end of a permit or deny ACE it will log a code 106100 message, the format of which is slightly different, the ACL name is specified after the string access-list: Apr 15 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/X.X.X.16(2241) -> outside/X.X.X.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4769049   cheers, Seb. ... View more

Can you share the output of sh etherchannel from both ends?   Also, what is the src/dest composition of the traffic over the etherchannel. As an extreme example, is it a single host to single host? An entire subnet to a single host? A range of subnets sending traffic off to the internet?   cheers, Seb. ... View more

Hi there, This is most likely an issue with the load balancing algorithm used on either end of the link: show etherchannel load-balance   ...you need to understand the type of traffic flows traversing the link to choose the best algorithm.   cheers, Seb. ... View more