07-02-2009 08:57 AM - edited 03-11-2019 08:50 AM
Hi,
I have applied interface service-policy with class-map included all traffic.
Yet when I do show access-list, I don't see any hit counts. Do hit-counts normally show against ACL attached to class-maps/policy-maps and service-policy
Thanks
07-02-2009 09:09 AM
I just tried it in the ASA and it does show hit counts on the acl applied to the class map which calls for a specific inspection.
Issue this command.
sh service-policy flow tcp host x.x.x.x host y.y.y.y eq
the output should say that it is going through certain inspections configuration.
Now if this is something new, for it to take effect you may have to issue a
clear local x.x.x.x
where x.x.x.x is the ip address of the host in question.
07-02-2009 09:17 AM
When I enter the second inspect command under policy/class-map its says, ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.
Why is that ?
07-02-2009 10:25 AM
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
5505# conf t
5505(config)# policy-map global_policy
5505(config-pmap-c)# class http
5505(config-pmap-c)# ins http
5505(config-pmap-c)# ins ftp
ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.
I believe this is the error that you are referring to.
You cannot add two (multiple) inspections under one class unless the class is inspection_default
Pls. see the policy-map that I pasted above.
07-02-2009 02:04 PM
When I do show service-policy flow etc I see a high number of packets against the policy which means that the packet is matched against the class-map (ACL). But when I do show access-list, I see no or very low hit count.
The hit count doesn't match the packets inspected on show service-policy flow display.
07-03-2009 04:30 AM
You can remove the service policy and put it back after clearing the access-list coutners.
cler access-l
Then watch the show service-policy flow again.
What code is the ASA running?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: