Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1299
Views
0
Helpful
1
Replies

ACL hit counts

Suresh Varghese
Level 1
Level 1

‎11-08-2012 03:07 AM

Hi,

I jsut needed to clarify something, i have a data Center & branch Office connected to each other through IPSec VPN. I also have SSL-VPn configured on the firewall in my data center, the same firewall on which the IPSec VPn from my branch offfice terminates.

I retrieved some ACL logs from the ASA in the data center and all the hit counts shon are zero even when the connection is established and my branch office users are able to access all resources.

e.g. access-list CRYPTO_XXXXX line 8 extended permit ip x.x.x.x 255.255.0.0 y.y.y.y 255.255.255.0 (hitcnt=0) 0x8142efc9

All the ACL are like this where y.y.y.y is the branch office subnet

I also have another ACL which poped up on my SSL VPN ACL as shown below

e.g. access-list DAP-ip-user-906E4E06 line 1 extended permit ip x.x.x.x 255.255.255.0 host y.y.y.y (hitcnt=22162) 0x440bdd04

       access-list SSLVPN-CORP-ACL line 1 extended permit ip x.x.x.x 255.255.255.0 host y.y.y.y(hitcnt=0) 0xc9d27468

can anyone tell me why is  my hit count is zero for both CRYPTO ACL and the SSLVPN-CORP-ACL even when the connection is established?

Second, what is DAP-ip-user-906E4E06? why is it showing such?

Thanks a lot in advance.

Labels:
0 Helpful
1 Reply 1

Javier Portuguez
Level 9
Level 9

‎11-08-2012 06:27 AM

Hi Suresh,

By any chance, did the "show crypto ipsec sa" output for that specific tunnel reveal encaps / decaps?

The DAP-ip-user-906E4E06 is a network / web type ACL that a specific DAP rule assigned to this session.

HTH.

Portu.

Please rate any helpful posts.



0 Helpful
Customers Also Viewed These Support Documents