firewall hit counts

Answered Question
Oct 23rd, 2009

what does this "(hitcnt=*)" mean besides any rule in cisco firewall.

Also, i'm facing instances where even if the connection is initiated, i dont see anything coming on the firewall ( be it deny/permit/connection buildup). Routes & other factors are fine.

Please suggest.


I have this problem too.
0 votes
Correct Answer by Leigh_Olsen about 4 years 5 months ago

An asterisk means that the rule has been merged with other rules and thus the hit count cannot be accurate.

Please see

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Jatin Katyal Fri, 10/23/2009 - 05:18


"hitcnt" shows which ACL entry is hit how many times

Actually these command provides a packet count or hitcounts

This can be used on firewall "show run access-list"

This can be used on IOS devices "show ip access-list"


access-list acl_inside_out permit tcp any any eq www (hitcnt=3074)

The above access-list tells that its has been hit 3074 times.

access-list acl_inside_out permit tcp any host X.X.X.X eq smtp (hitcnt=0)

The access-list shows no hits against it.

You may go through this link for better understanding.



Pls rate helpful posts-

suthomas1 Fri, 10/23/2009 - 05:27

Thanks, my question was what does the * in hitcnt=* means? & about the logging thing.

suthomas1 Fri, 10/23/2009 - 08:55

Thanks, am sorry if there is any confusion from my question here.My firewall just shows * symbol on certain rules, whereas other rules it shows hitcnt=0.

what difference does * & 0 indicate here. 0 appears when there is no connection covering this rule.

What is the case if only * appears?


This Discussion