Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASDM may show no ACL hitcounts for active access-lists

Hi everyone,

I hoping someone may be able to help with a frustrating issue.

We have a pair of ASA's with IPS modules & we are running ASA software 8.3.1 and ASDM 6.3.1.  The problem I am seeing is that ASDM is showing a zero hit count for active rules.

Using the log viewer there are hits that should be matching the rules and if I issue the show access-list command for the list the hit counts are incrementing correctly. Also if I disable the rules in the firewall config screen the traffic is then blocked so I know the rule's active but the hit count remains stubbornly '0'.

When I try to view the rule from the syslog viewer line by right clicking and selecting 'Show Access Rule' I get an error message about not being able to find the rule 'The hash code that identifies the rule can not be found'.  If I right click the rule on the firewall config page and select 'show log'  the filter that's created uses a different hash code to that shown in the CLI for the access list entry.  If I search the CLI output for the hash code ASDM uses it doesn't exist.

I there anyway of refreshing the hash codes in ASDM?  I've tried clearing the cache and reload ASDM on my PC but to no avail.  There are several rules displaying this behaviour and means we have to trawl through hundreds of lines of 'show access-list' output to find any obsolete rules or troubleshoot as we can't rely on the ASDM hit count.

The only references to this I can find on the Cisco website are for CSCsl15055 which is a 'resolved caveat' and only applies to ASDM 6.0.2 which we don't have.

Thanks in advance,

Zac

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASDM may show no ACL hitcounts for active access-lists

Zac,

You may be hitting bug ID CSCtg95077.  You can reference the details of this bug here:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Seemingly, this bug should be resolved in 8.3(1)8.  Let me know if this is indeed a match and mark this post as answered.

Hope this helps!

Best Regards,

Kevin

6 REPLIES
Cisco Employee

Re: ASDM may show no ACL hitcounts for active access-lists

Zac,

You may be hitting bug ID CSCtg95077.  You can reference the details of this bug here:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Seemingly, this bug should be resolved in 8.3(1)8.  Let me know if this is indeed a match and mark this post as answered.

Hope this helps!

Best Regards,

Kevin

Community Member

Re: ASDM may show no ACL hitcounts for active access-lists

Many thanks Kevin.  It would appear to be a match so lets hope it is fixed in 8.3(1)8.

Zac

Community Member

Re: ASDM may show no ACL hitcounts for active access-lists

I seem to be having the same problem.  The bug ID you mentioned claims to be fixed in 8.3(2), which is the ASA version I'm using along with ASDM 6.3(4).  Also, I'm seeing many hit counts sitting at zero (that I know should be increasing), but there are just as many that are incrementing as expected.  Any ideas?  Thanks.

Community Member

Re: ASDM may show no ACL hitcounts for active access-lists

"I seem to be having the same problem.  The bug ID you mentioned claims to be fixed in 8.3(2), which is the ASA version I'm using along with ASDM 6.3(4).  Also, I'm seeing many hit counts sitting at zero (that I know should be increasing), but there are just as many that are incrementing as expected.  Any ideas?  Thanks."

Hello Russell,

I have faced similar problem in past, what I did is, I deleted the access line rule for which I am not getting any hit counts, and below to that I created new access rule and enabled logging on that. after rule push, it apprears that I can see hitting counter increment.

can you perform same step and let us know your results?

- Jigar

Community Member

Re: ASDM may show no ACL hitcounts for active access-lists

Yes, deleteing and re-creating the rule causes the hit count to function properly.

Community Member

Re: ASDM may show no ACL hitcounts for active access-lists

We upgraded to 8.3(2) & ASDM 6.3(3) and the issue was solved.  We haven't tried ASDM 6.3(4) so can't comment on that but I have noticed that 6.3(5) is now available

3968
Views
0
Helpful
6
Replies
CreatePlease to create content