Firewall service-policy

Unanswered Question
Jul 2nd, 2009


I have applied interface service-policy with class-map included all traffic.

Yet when I do show access-list, I don't see any hit counts. Do hit-counts normally show against ACL attached to class-maps/policy-maps and service-policy


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Kureli Sankar Thu, 07/02/2009 - 09:09

I just tried it in the ASA and it does show hit counts on the acl applied to the class map which calls for a specific inspection.

Issue this command.

sh service-policy flow tcp host x.x.x.x host y.y.y.y eq

the output should say that it is going through certain inspections configuration.

Now if this is something new, for it to take effect you may have to issue a

clear local x.x.x.x

where x.x.x.x is the ip address of the host in question.

tech_trac Thu, 07/02/2009 - 09:17

When I enter the second inspect command under policy/class-map its says, ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.

Why is that ?

Kureli Sankar Thu, 07/02/2009 - 10:25

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp


5505# conf t

5505(config)# policy-map global_policy

5505(config-pmap-c)# class http

5505(config-pmap-c)# ins http

5505(config-pmap-c)# ins ftp

ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.

I believe this is the error that you are referring to.

You cannot add two (multiple) inspections under one class unless the class is inspection_default

Pls. see the policy-map that I pasted above.

tech_trac Thu, 07/02/2009 - 14:04

When I do show service-policy flow etc I see a high number of packets against the policy which means that the packet is matched against the class-map (ACL). But when I do show access-list, I see no or very low hit count.

The hit count doesn't match the packets inspected on show service-policy flow display.

Kureli Sankar Fri, 07/03/2009 - 04:30

You can remove the service policy and put it back after clearing the access-list coutners.

cler access-l counter

Then watch the show service-policy flow again.

What code is the ASA running?


This Discussion