I am working with a client whom is using a Failover pair of Cisco ASA 5520 appliances. This morning I had been tasked wiht tweaking an ACL that they have attached to a WAN interface on the ASA's.
As I am watching the Hit counts on ASDM, I notice that ASDM does not seem to project an accurate number of hit counts on ACE statements that match. The reason I am saying this is because I have ran several capture traces this morning on that interface, and the volume of traffic on the interface far exceeds that which ASDM shows.
An example would be an ACE that says "access-list itchy permit tcp host 192.168.1.239 host 192.168.101.21 eq 10566"
I am using this example because I see a huge amount of traffic that should qualify as "Hits" traversing the interface, but the hit count is much smaller than the traffic I am seeing.
Has anyone else ever witnessed this behavior in ASDM? I am wondering if ASDM only shows a representaiton or sampling of actual Hits, and therefore will never exactly match what the actual traffic load is...
Thanks for any input into this.
The ACL hits account for only the connection establishment packets (in case
of TCP). So, if there were only 10 connections initiated from outside to
that port on the ASA outside interface, you will see the hit count as 10.
All future packets (after connection has been established) will be taken
care of by the statefull inspection engine (they will bypass the
Hope this helps.