Traffic Policing - counters to zero, ACL doesn't match

Unanswered Question
Jun 25th, 2010
User Badges:

Hi folks,

I have the following configuration

ip access-list extended ACL-LOG
permit ip host x.x.x.x host y.y.y.y


class-map match-any LOG
match access-group name ACL-LOG

policy-map Policy-A
class LOG
    police 8000 conform-action transmit  exceed-action drop  violate-action drop
class class-default
     random-detect dscp-based


interface Multilink1
description A
bandwidth 256
ip address x.x.x.x/y
ip tcp header-compression iphc-format
no ip mroute-cache
ip ospf message-digest-key 1 md5 7 XXXXXXXXXXX
ppp multilink
ppp multilink interleave
ppp multilink group 1
ppp multilink fragment delay 20
crypto map XXX
max-reserved-bandwidth 95
service-policy output Policy-A
ip rtp header-compression iphc-format

This policy map was working well and suddenly the ACL ceased to match packets so I have the following behavior:

Class-map: LOG (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name ACL-LOG
        0 packets, 0 bytes
        5 minute rate 0 bps
          cir 8000 bps, bc 1500 bytes, be 1500 bytes
        conformed 0 packets, 0 bytes; actions:
        exceeded 0 packets, 0 bytes; actions:
        violated 0 packets, 0 bytes; actions:
        conformed 0 bps, exceed 0 bps, violate 0 bps

I deleted the service policy from the interface, I've deleted the policy-map and class-maps and then I've created them again and the problem persists.

How can I solve this issue??
Thanks in advance for your help,
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Sat, 06/26/2010 - 06:24
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You have a crypto applied to the interface so the egress traffic may be leaving the router with a ESP header, not an IP header - hence no match.

Remove the crypto and see if you get the matches working again.




This Discussion