PIX 722 access-list hits is not incrementing

Unanswered Question
May 28th, 2008

Hi Guru's,

It so strange because if just noticed that the hits on my access-list is not incrementing. Appreciate if someone could enlighten me on this. Im not sure if this is a bug or i did a mistake during my upgrade process.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
husycisco Wed, 05/28/2008 - 02:15

Hi Jong,

Please paste your ACL with its ACEs in its respective order and let us check. You may have an ACE at the beginning that already permits/denies the traffic that are supposed to be permitted/denied in your specific ACE

If none of them increments, either it is not set for an interface with access-group "aclname" in interface "ifname" or your network statements are incomplete


jong_r0602 Wed, 05/28/2008 - 20:30

Hers my ACL. As you can see, there already a hits count,but after the os upgrade the hits seems to be not incrementing.

access-list vpn1; 9 elements

access-list vpn1 line 1 extended permit ip 1 (hitcnt=1419) 0xfbacb239

access-list vpn1 line 2 extended permit ip 1 (hitcnt=18712) 0x6f76ac86

access-list vpn1 line 3 extended permit ip 1 (hitcnt=3412) 0x907d7deb

access-list vpn1 line 4 extended permit ip 1 (hitcnt=542) 0x65497b0a

access-list vpn1 line 5 extended permit ip 1 (hitcnt=461) 0xc8b559b6

access-list vpn1 line 6 extended permit ip 1 (hitcnt=72) 0xf411b42d

access-list vpn1 line 7 extended permit ip host HT1-CovadNATIP (hitcnt=193) 0x6bfe97fd

access-list vpn1 line 8 extended

permit ip host HT1-BlockBusterNATIP 10.

0.0.0 (hitcnt=0) 0xc45d7dac

access-list vpn1 line 9 extended permit ip host Internet_NATIP_Brother 1 (hitcnt=28) 0x8f586982

husycisco Thu, 05/29/2008 - 02:03


I have to see your config to find out where this vpn1 acl is used and what names like HT1-BlockbusterNATIP refers to.

Or if you like to handle it on your own, you can use packet-tracer command and see which nat rules acls and routes does packet travel.


jong_r0602 Tue, 06/03/2008 - 22:06



Sorry for the late response. see my config attached file. Please have check.







husycisco Wed, 06/04/2008 - 01:43


Here is the ACE that doesnt increment

access-list indiaencrypt line 8 extended

permit ip host HT1-BlockBusterNATIP 10.

0.0.0 (hitcnt=0) 0xc45d7dac

HT1-BlockBusterNATIP is the global entry of the NAT for First of all, you have to make sure that a host in is trying to reach network.

But here is an inconsistency. The NAT statement 212 has the HT1-BlockBusterNATIP in internet interface, but no static route exists for, and if firewall is learning a default route via OSPF from a neighbour which is not in internet interface, that would prevent 212 translation to occur. A route statement like following may resolve the issue.

But first, please run the following command and save its output to a txt file

packet-tracer input inside tcp 3389 5555 detailed

Now add the following route

route internet

Then again run the packet tracer command. Then attach the file that has packet-tracer outputs for me to analyze.



This Discussion