Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6522
Views
0
Helpful
10
Replies

0 hits on access rule in use

Go to solution
Eric Washington
Level 1
Level 1

‎07-29-2013 09:38 AM - edited ‎03-11-2019 07:18 PM

Last week I disabled several rules on our ASA because the rules had 0 hits. Well one of the rules needed to be re-enabled to allow a department access to an application. It works after re-enabling the rule, but I don't understand why am I not seeing any hits on the rule.

I want to cleanup our access rules and I figured I could do away with the ones getting 0 hits. But if that isn't an indicator to the rule being in use or not, then what is.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eric Washington

‎07-29-2013 10:18 AM

Hi,

Well you can go to the CLI and use

This command to show all the ACLs

show access-list

This command to show certain ACL

show access-list

If you have a certain line number for the rule you can use this command for example

show access-list | inc line #

Where # = number

You can also do these through the ASDM by going to

  • Tools
  • Command Line Interface
  • Enter the command to the field and send it to the device and it will print the CLI output for you

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eric Washington

‎07-29-2013 10:27 AM

Hi,

Notice that both rules are with the same line number of 205

This can only mean that they are part of an ACL rule/line that uses an "object-group" in them. Seems that the destination IP addresses are defined under the "object-group network "

This probably means that you have disabled the ACL rule/line at 205 which contains this actual "object-group network " and therefore you have removed a lot more rules than just the one with 0 hitcount.

Use the command

show access-list inside_access_in | inc line 205

and check what the "object-group" is that is used in the ACL rule at line 205.

If you want to remove the hosts with 0 hitcount THEN you will have to remove them from inside the "object-group" and NOT disable the whole ACL rule/line (which effect a lot more hosts)

Though you will have to make sure that this "object-group" is not used in any other configuration where removing one host under it might cause problems.

So it starting to seem like the reason disabling a rule affected some application is because you disabled a single ACL rule that used an "object-group" to define multiple destination IP addresses while you should have removed the IP addresses from under the "object-group" (the ones that are not getting hitcount) rather than disable the whole rule.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eric Washington

‎07-29-2013 10:42 AM

Hi,

I edited the the above reply a couple of times when you were probably already replying.

You can use the command

show run object-group id DM_INLINE_NETWORK_60

To view only the configuration related to that "object-group"

According to the above it does contain only 2 host IP addresses so the configuration is probably something like this

object-group network DM_INLINE_NETWORK_60

network-object host 153.69.200.107

network-object host 153.69.200.110

So in this case if this "object-group" is not used anywhere else, you should be able to to remove the IP that is not getting any hitcount with the following commands

First go under the "object-group" configuration mode then remove the single host address from there.

object-group network DM_INLINE_NETWORK_60

no network-object host 153.69.200.110

After this you should only see that one rule on the line 205 of the ACL.

- Jouni

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-29-2013 10:06 AM

Hi,

I dont personally remember any occasion where a hitcount on an ACL would have not been a clear indicator if that rule was usefull or not.

I am not sure if you are using ASDM, if you are then there is naturally always the chance that it has something to do with ASDM. Perhaps a bug. For example I have witnessed VPN counters on the ASDM that were incorrect and completely different compare to what the ASA was telling me on the CLI. Maybe updating the ASDM might be one step.

If you have confirmed these statistics from the CLI then it would seem a lot stranger.

I would imagine that you are talking about interface ACLs here only?

I only mention this because for example NAT0 related ACL never get their hitcount increased even though they are in use all the time. So one idea would be to check if the disabled rule was actually in an ACL that was used for NAT0? As I said, NAT0 ACL dont get any hitcounts even though they are in use.

I would also suggest you to use the "packet-tracer" command on the CLI to simulate the traffic that should match this ACL rule.

The "packet-tracer" output should both reference this ACL rule if it matches to it (and nothing before that rule) and it should also increase the hitcount for that rule even though no real traffic might have come through the ASA.

Hope this helps

- Jouni

0 Helpful

Go to solution
Eric Washington
Level 1
Level 1
In response to Jouni Forss

‎07-29-2013 10:12 AM

Hello Jouni!

Yes it is ASDM that I'm using. So how would I check the amount of hits the access rule receives from the CLI?

0 Helpful

Go to solution
Eric Washington
Level 1
Level 1
In response to Eric Washington

‎07-29-2013 10:16 AM

I went into ASDM, right clicked on the rule, and started the packet trace.

I get green check marks for capture, access-list, and route-lookup. The result is the packet is dropped with info saying:

(sp-security-failed) Slowpath security checks failed

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eric Washington

‎07-29-2013 10:18 AM

Hi,

Well you can go to the CLI and use

This command to show all the ACLs

show access-list

This command to show certain ACL

show access-list

If you have a certain line number for the rule you can use this command for example

show access-list | inc line #

Where # = number

You can also do these through the ASDM by going to

  • Tools
  • Command Line Interface
  • Enter the command to the field and send it to the device and it will print the CLI output for you

- Jouni

0 Helpful

Go to solution
Eric Washington
Level 1
Level 1
In response to Jouni Forss

‎07-29-2013 10:23 AM

I just figured it out as you posted this haha. Thanks Jouni!

Is it possible that the rule doesn't show any hits because of the destination ip's doesn't have any? Here is my output from CLI:

WHQ-ASA-01/pri/act# sh access-list | i 153.69.200.107

  access-list inside_access_in line 205 extended permit tcp any range 1 65535 host 153.69.200.107 eq https (hitcnt=735) 0x1053b8b2

WHQ-ASA-01/pri/act# sh access-list | i 153.69.200.110

  access-list inside_access_in line 205 extended permit tcp any range 1 65535 host 153.69.200.110 eq https (hitcnt=0) 0x3027e0d8

Those are the two destinations in the rule and only one has hits.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eric Washington

‎07-29-2013 10:27 AM

Hi,

Notice that both rules are with the same line number of 205

This can only mean that they are part of an ACL rule/line that uses an "object-group" in them. Seems that the destination IP addresses are defined under the "object-group network "

This probably means that you have disabled the ACL rule/line at 205 which contains this actual "object-group network " and therefore you have removed a lot more rules than just the one with 0 hitcount.

Use the command

show access-list inside_access_in | inc line 205

and check what the "object-group" is that is used in the ACL rule at line 205.

If you want to remove the hosts with 0 hitcount THEN you will have to remove them from inside the "object-group" and NOT disable the whole ACL rule/line (which effect a lot more hosts)

Though you will have to make sure that this "object-group" is not used in any other configuration where removing one host under it might cause problems.

So it starting to seem like the reason disabling a rule affected some application is because you disabled a single ACL rule that used an "object-group" to define multiple destination IP addresses while you should have removed the IP addresses from under the "object-group" (the ones that are not getting hitcount) rather than disable the whole rule.

- Jouni

0 Helpful

Go to solution
Eric Washington
Level 1
Level 1
In response to Jouni Forss

‎07-29-2013 10:36 AM

Here is the rule

WHQ-ASA-01/pri/act# sh access-list | i inside_access_in line 205

access-list inside_access_in line 205 extended permit object https any object-group DM_INLINE_NETWORK_60 0xcfce8697

  access-list inside_access_in line 205 extended permit tcp any range 1 65535 host 153.69.200.107 eq https (hitcnt=735) 0x1053b8b2

  access-list inside_access_in line 205 extended permit tcp any range 1 65535 host 153.69.200.110 eq https (hitcnt=0) 0x3027e0d8

But I only disabled the rule because it showed a 0 hit count in ASDM and still continues to. But from the CLI we can actually see one of the ip's getting hits. So am I correct to think that the rule shows 0 hits in ASDM because there's a host in the rule's destination field not getting any hits?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eric Washington

‎07-29-2013 10:42 AM

Hi,

I edited the the above reply a couple of times when you were probably already replying.

You can use the command

show run object-group id DM_INLINE_NETWORK_60

To view only the configuration related to that "object-group"

According to the above it does contain only 2 host IP addresses so the configuration is probably something like this

object-group network DM_INLINE_NETWORK_60

network-object host 153.69.200.107

network-object host 153.69.200.110

So in this case if this "object-group" is not used anywhere else, you should be able to to remove the IP that is not getting any hitcount with the following commands

First go under the "object-group" configuration mode then remove the single host address from there.

object-group network DM_INLINE_NETWORK_60

no network-object host 153.69.200.110

After this you should only see that one rule on the line 205 of the ACL.

- Jouni

0 Helpful

Go to solution
Eric Washington
Level 1
Level 1
In response to Jouni Forss

‎07-29-2013 10:54 AM

Thanks again Jouni!

I know how to remove the host from the rule - that isn't the issue. I want to know if that host that isn't receiving hits the reason that the entire rule doesn't show hits in ASDM.

So basically if I remove that one address that ends in .110, will ASDM begin to show hits on the rule since the .107 address is getting hits?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eric Washington

‎07-29-2013 11:01 AM

Hi,

I did a quick test on my own ASA through ASDM

I allowed ICMP from my LAN to 2 different hosts that configured under an "object-group"

I only sent ICMP to one of the hosts in that "object-group" and the ASDM shows hitcounts for that

On the CLI it shows the following

access-list LAN-IN line 1 extended permit icmp any4 object-group DM_INLINE_NETWORK_1 (hitcnt=2) 0xc22fc6f8

  access-list LAN-IN line 1 extended permit icmp any4 host 1.1.1.1 (hitcnt=2) 0x31b7950c

  access-list LAN-IN line 1 extended permit icmp any4 host 2.2.2.2 (hitcnt=0) 0xc51d1507

I dont know if its related to something in your ASDM or software. I personally am running quite new ASDM and ASA software levels at the moment

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card