Solved: firewall rule

suthomas1 · ‎06-14-2010

Please help me understand the asterix (*) symbol seen in below rule (highlighted) besides the hitcnt keyword.

access-list server_input_in line 34 extended permit tcp host 192.168.100.1 host 192.168.300.4 eq ssh (hitcnt=*)

Hitcnt should show certain numeric no's based on how frequent the rules are used. But i have never seen this rule getting a hitcnt even

though so far there is no issue with this particular access.

It will be difficult to check once a problem arises.

Thanks for valuable inputs!

edadios · ‎06-14-2010

From the access-list you have shown, they look like they are duplicate of each other :

access-list server_input_in line 34 extended permit tcp host 192.168.100.1 host 192.168.300.4 eq ssh (hitcnt=*)

access-list server_input_in line 40 extended permit tcp host 192.168.100.1 host 192.168.300.4 range ftp ssh (hitcnt=0) 0x3d141072 [(50)]
access-list server_input_in line 42 extended permit tcp host 192.168.100.1 host 192.168.300.4 eq ssh (hitcnt=0) 0x00000000 [Merged to 48: ADJACENT]

Line 34 will be matched first, so that has the * on it.

"hit count=*" has been explained previously.

Optimization should not cause any issue with the service.

You will need to check for logs, and or do packet captures to troubleshoot further any issues with your failing services that uses this flow.

Regards,

View solution in original post

Panos Kampanakis · ‎06-14-2010

On the FWSM, the * in the hitcount field implies that the particular ACE is a redundant ACE which got optimized (probably merged into some other ACE ) as part of acl optimization. 'show access-list optimization detail' will tell you to which ACE did the redundant one got merged to. It is expected to see the * in the hitcount field when acl optimization is enabled.

I hope it helps.

PK

suthomas1 · ‎06-14-2010

Thanks a lot for your great help.This was something i never knew of, I found the following for this:

access-list server_input_in line 40 extended permit tcp host 192.168.100.1 host 192.168.300.4 range ftp ssh (hitcnt=0) 0x3d141072 [(50)]
access-list server_input_in line 42 extended permit tcp host 192.168.100.1 host 192.168.300.4 eq ssh (hitcnt=0) 0x00000000 [Merged to 48: ADJACENT]

These lines dont show any hits as of now. Does it mean the optimised ones wont show any hits or is it so since there may not be any traffic

at this point.Also does this kind of optimisation cause any issues with services.

I am having problems with accessing these above services and that is when i noticed the * in counts, which prompted to query this.

Appreciate your assistance!

edadios · ‎06-14-2010

From the access-list you have shown, they look like they are duplicate of each other :

access-list server_input_in line 34 extended permit tcp host 192.168.100.1 host 192.168.300.4 eq ssh (hitcnt=*)

access-list server_input_in line 40 extended permit tcp host 192.168.100.1 host 192.168.300.4 range ftp ssh (hitcnt=0) 0x3d141072 [(50)]
access-list server_input_in line 42 extended permit tcp host 192.168.100.1 host 192.168.300.4 eq ssh (hitcnt=0) 0x00000000 [Merged to 48: ADJACENT]

Line 34 will be matched first, so that has the * on it.

"hit count=*" has been explained previously.

Optimization should not cause any issue with the service.

You will need to check for logs, and or do packet captures to troubleshoot further any issues with your failing services that uses this flow.

Regards,