Hit count is not seen on a access-list

Answered Question
Jun 25th, 2008

Show access-list command

access-list incoming line 3 extended permit ip object-group test object-group test1 log informational interval 300

I have this problem too.
0 votes
Correct Answer by rhysclementevans about 8 years 5 months ago

Yes it should show the hit count, even if 0. The only thing that doesn't show a hit count is the object-group line as this is expanded below to show the indivdual entries.

so (and forgive me if this misses the point) you may be looking at the wrong line in the command results. An example of what I would have expected is below - if your output doesn't match it then I would be interested to see the relevant snippets of your config and 'show' output.

object-group service WEBPORTS tcp

port-object eq 80

port-object eq 443

access-list incoming permit tcp any any object-group WEBPORTS

show access-list incoming

...would show something along the lines of.

access-list incoming line 1 permit tcp any any object-group WEBPORTS

access-list incoming line 1 permit tcp any any eq http (hitcnt=0)

access-list incoming line 1 permit tcp any any eq https (hitcnt=0)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rhysclementevans Thu, 06/26/2008 - 03:08

Hello Kr,

If you're using show access-list xxx and not seeing a hit count then the simple answer is likely to be that the packets are not matching the access-list entry.

Is NAT involved? Perhaps the source or destination address is not as you would expect.

Correct Answer
rhysclementevans Thu, 06/26/2008 - 23:30

Yes it should show the hit count, even if 0. The only thing that doesn't show a hit count is the object-group line as this is expanded below to show the indivdual entries.

so (and forgive me if this misses the point) you may be looking at the wrong line in the command results. An example of what I would have expected is below - if your output doesn't match it then I would be interested to see the relevant snippets of your config and 'show' output.

object-group service WEBPORTS tcp

port-object eq 80

port-object eq 443

access-list incoming permit tcp any any object-group WEBPORTS

show access-list incoming

...would show something along the lines of.

access-list incoming line 1 permit tcp any any object-group WEBPORTS

access-list incoming line 1 permit tcp any any eq http (hitcnt=0)

access-list incoming line 1 permit tcp any any eq https (hitcnt=0)

Actions

This Discussion