access-list matches are 3 times as much as packets received, why?

Unanswered Question
Mar 21st, 2008

Ping frome r1:


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms


and show access-list on r2:

r2#sh access-lists | i match

470 permit ip any any dscp ef (15 matches)

Anybody can give me a good explaination for this? And what is the exact debug command that I can use to see the packet-matching events happening on the router?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Kevin Dorrell Sat, 03/22/2008 - 03:21

Is R1 pinging its own address on a point-to-point link by any chance?

Try disabling all your fast switching and do a debug ip icmp packets. You may find there is more going on than just a simple ping.

Kevin Dorrell


CSCO10892433 Sat, 03/22/2008 - 06:57

Hi, kevin

Thank you for the reply.

They are the fastethernet interfaces in the same vlan. R1 has address assigned to fa0/0 and r2 has address assigned to fa0/0. I also apply the access-group inbound on r2's fa0/0 interface.

I redo the lab per your suggestion: enable debug ip packet, disable cef switching. For clarity, I ping only one packet this time and the result indeed reduce one packet. But I still don't get it from the debug output. Why does CEF have to do with this? What does the other one more packet come from. (I expect 1 packet but there are 2 matches even after I disbale the cef; What other feature should I disable further?)



Kevin Dorrell Sat, 03/22/2008 - 08:39

Sorry, maybe I wasn't clear about the CEF. We switched it off just so that we could see all the packets in the debug. If CEF is active, then packets can miss the debug. It shouldn't make any difference to the packet count on the access-list, although in this case I am surprised to see that it seems to have done so.

Have you used this access-list in two different places, for example both on input and output? Or maybe in the service policy as well? If so, it will count a packet once for each time it goes through the access-list.

Is it possible your echo-reply is hitting the access-list as well as the original echo request? You could detect this by splitting up the access-list:

</p><p>10 permit icmp any any echo</p><p>20 permit icmp any any echo-reply</p><p>30 permit ip any any</p><p>

Kevin Dorrell


Richard Burts Sat, 03/22/2008 - 08:58


I believe that your question whether the access list might be applied in more than one place is a good question. I believe that there is another possibility to consider as an explanation. Access lists accumulate the hit count from the time the router booted or from when the access list counters were cleared. Is it possible that there had been some traffic hitting the access list before the test began.



CSCO10892433 Sun, 03/23/2008 - 07:03

Hi, kevin, rick

Thank both of you for the concerns about this topic.

Here is the result of acl-lab-round-3 (see attachment)and it is same as before. I also attach the running-config that I don't see any other place the ACL is applied. Please check it for me , maybe I'm missing something on somewhere.



Richard Burts Sun, 03/23/2008 - 14:43


Thank you for posting the additional information and especially for posting the configuration. Based on this I believe that I can explain at least 10 of the 15 matches in the access list. I will start by pointing out 2 significant things. 1) The serial interface with address appears to be a normal point to point serial interface. 2) The ping is for your own address. In a previous post you say that you are pinging the Fastethernet interface. But clearly this test is with serial point to point.

What happens when you ping your own address on a point to point serial interface is that the router forwards the ping (echo-request) out the point to point interface to the neighbor, the neighbor receives the ping requests and forwards them over the point to point back to you (here are the first 5 matches). Then the router generates the ping response (echo-reply) and forwards them out the point to point interface to the neighbor, the neighbor receives them and forwards them back to you (here are the next 5 matches).

The test you posted was with access list 101 which just has a single line which matches any IP packet. I believe that if you do the test with access list 102 which has separate lines for echo-request, echo-reply, and other IP that you will see 5 echo-request, 5 echo-reply, and perhaps 5 others. If you add the log parameter to the last line so that it has permit ip any any log, then you will get some indication what the other packets are.

It might be helpful to see the configuration of the router on the other end of the point to point serial (we assume that its address is probably



CSCO10892433 Sun, 03/23/2008 - 17:21

Hi, Rick

Sorry for the inconsistency among the several labs I did. I change the routers and the interfaces because I want to see if there is any difference. I'm sure I was pinging from the other router, not my own router. I will do the lab this night again with "ping source" to make sure I'm pinging from different router. I will let you know.



CSCO10892433 Mon, 03/24/2008 - 07:53

Hi, Rick

I just finish the lab round 4, but I found more wierd thing: if I add the log keyword to the and of each acl entry, I got only 5 matches!!!Without the log keyword, I got 15 matches as usual. How do you explain this?



PS: This time I'm very sure I'm not pinging the same router. All pings are from BB1 to BB3.

Richard Burts Mon, 03/24/2008 - 08:45


What you had posted before indicated that the ping was to the routers own interface. What you have posted this time is clear that the ping was to the remote router interface. I am puzzled by the result showing 15 hits in the access list and even more puzzled that the results show only 5 hits when the log key word is added.



sandeepkhera Wed, 10/27/2010 - 11:01

Hi guys,

Today I also noticed the same thing at my LAB. and during googling thie cause i found this forum only and unfortunately with no specific answer.

Does any one of you found the reason why it is happening. If yes then please post it here.



Paolo Bevilacqua Thu, 10/28/2010 - 05:39

I challenge the person that low rated my post above to come forward and give an explanation about.

What I have stated is 100% true, the fact that "you" did not liked my answer does not change your position of great ignorance and rudeness.


sandeepkhera Thu, 10/28/2010 - 06:46

But this I have observed on different routers with differnt IOSs.

So Its not possible that there is BUG in all.




This Discussion