Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
0
Helpful
4
Replies

Hit count is not seen on a access-list

Go to solution
kr_madan
Level 1
Level 1

‎06-25-2008 01:21 PM - edited ‎03-11-2019 06:05 AM

Show access-list command

access-list incoming line 3 extended permit ip object-group test object-group test1 log informational interval 300

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rhysclementevans
Level 1
Level 1
In response to kr_madan

‎06-26-2008 11:30 PM

Yes it should show the hit count, even if 0. The only thing that doesn't show a hit count is the object-group line as this is expanded below to show the indivdual entries.

so (and forgive me if this misses the point) you may be looking at the wrong line in the command results. An example of what I would have expected is below - if your output doesn't match it then I would be interested to see the relevant snippets of your config and 'show' output.

object-group service WEBPORTS tcp

port-object eq 80

port-object eq 443

access-list incoming permit tcp any any object-group WEBPORTS

show access-list incoming

...would show something along the lines of.

access-list incoming line 1 permit tcp any any object-group WEBPORTS

access-list incoming line 1 permit tcp any any eq http (hitcnt=0)

access-list incoming line 1 permit tcp any any eq https (hitcnt=0)

View solution in original post

0 Helpful
4 Replies 4

Go to solution
rhysclementevans
Level 1
Level 1

‎06-26-2008 03:08 AM

Hello Kr,

If you're using show access-list xxx and not seeing a hit count then the simple answer is likely to be that the packets are not matching the access-list entry.

Is NAT involved? Perhaps the source or destination address is not as you would expect.

0 Helpful

Go to solution
kr_madan
Level 1
Level 1
In response to rhysclementevans

‎06-26-2008 04:57 AM

Hi,

Atleast it should how hitcount=0 right ?

0 Helpful

Go to solution
rhysclementevans
Level 1
Level 1
In response to kr_madan

‎06-26-2008 11:30 PM

Yes it should show the hit count, even if 0. The only thing that doesn't show a hit count is the object-group line as this is expanded below to show the indivdual entries.

so (and forgive me if this misses the point) you may be looking at the wrong line in the command results. An example of what I would have expected is below - if your output doesn't match it then I would be interested to see the relevant snippets of your config and 'show' output.

object-group service WEBPORTS tcp

port-object eq 80

port-object eq 443

access-list incoming permit tcp any any object-group WEBPORTS

show access-list incoming

...would show something along the lines of.

access-list incoming line 1 permit tcp any any object-group WEBPORTS

access-list incoming line 1 permit tcp any any eq http (hitcnt=0)

access-list incoming line 1 permit tcp any any eq https (hitcnt=0)

0 Helpful

Go to solution
kr_madan
Level 1
Level 1
In response to rhysclementevans

‎06-27-2008 10:34 AM

Thanks for information !!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card