cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
962
Views
0
Helpful
2
Replies

ACL Hit Counts in ASDM do not seem to be accurate

Kevin Melton
Level 2
Level 2

I am working with a client whom is using a Failover pair of Cisco ASA 5520 appliances.  This morning I had been tasked wiht tweaking an ACL that they have attached to a WAN interface on the ASA's. 

As I am watching the Hit counts on ASDM, I notice that ASDM does not seem to project an accurate number of hit counts on ACE statements that match.  The reason I am saying this is because I have ran several capture traces this morning on that interface, and the volume of traffic on the interface far exceeds that which ASDM shows.

An example would be an ACE that says "access-list itchy permit tcp host 192.168.1.239 host 192.168.101.21 eq 10566"

I am using this example because I see a huge amount of traffic that should qualify as "Hits" traversing the interface, but the hit count is much smaller than the traffic I am seeing.

Has anyone else ever witnessed this behavior in ASDM?  I am wondering if ASDM only shows a representaiton or sampling of actual Hits, and therefore will never exactly match what the actual traffic load is...

Thanks for any input into this.

Kevin

1 Accepted Solution

Accepted Solutions

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

The ACL hits account for only the connection establishment packets (in case

of TCP). So, if there were only 10 connections initiated from outside to

that port on the ASA outside interface, you will see the hit count as 10.

All future packets (after connection has been established) will be taken

care of by the statefull inspection engine (they will bypass the

access-lists).

Hope this helps.

Regards,

NT

View solution in original post

2 Replies 2

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

The ACL hits account for only the connection establishment packets (in case

of TCP). So, if there were only 10 connections initiated from outside to

that port on the ASA outside interface, you will see the hit count as 10.

All future packets (after connection has been established) will be taken

care of by the statefull inspection engine (they will bypass the

access-lists).

Hope this helps.

Regards,

NT

Thanks for your rapid response.  I had been under the impression that any packet that matched would count as a hit.  I did not realize that the Hit

Counts were for connection establishment purposes only.  That is very important to know.

Kevin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: