When I do a sh access-list on a FWSM running 4.0(5), some of the ACE show a hitcount of * (hitcnt=*) instead of a number. What does that means?
You'll see the * when ACL optimization is enabled on the FWSM. The * indicates that the rule was merged with another rule(s) due to the optimization, which would make the hitcount for that specific rule inaccurate on its own.
Hope that helps.