Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hit count is not seen on a access-list

Show access-list command

access-list incoming line 3 extended permit ip object-group test object-group test1 log informational interval 300

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Hit count is not seen on a access-list

Yes it should show the hit count, even if 0. The only thing that doesn't show a hit count is the object-group line as this is expanded below to show the indivdual entries.

so (and forgive me if this misses the point) you may be looking at the wrong line in the command results. An example of what I would have expected is below - if your output doesn't match it then I would be interested to see the relevant snippets of your config and 'show' output.

object-group service WEBPORTS tcp

port-object eq 80

port-object eq 443

access-list incoming permit tcp any any object-group WEBPORTS

show access-list incoming

...would show something along the lines of.

access-list incoming line 1 permit tcp any any object-group WEBPORTS

access-list incoming line 1 permit tcp any any eq http (hitcnt=0)

access-list incoming line 1 permit tcp any any eq https (hitcnt=0)

4 REPLIES
New Member

Re: Hit count is not seen on a access-list

Hello Kr,

If you're using show access-list xxx and not seeing a hit count then the simple answer is likely to be that the packets are not matching the access-list entry.

Is NAT involved? Perhaps the source or destination address is not as you would expect.

New Member

Re: Hit count is not seen on a access-list

Hi,

Atleast it should how hitcount=0 right ?

New Member

Re: Hit count is not seen on a access-list

Yes it should show the hit count, even if 0. The only thing that doesn't show a hit count is the object-group line as this is expanded below to show the indivdual entries.

so (and forgive me if this misses the point) you may be looking at the wrong line in the command results. An example of what I would have expected is below - if your output doesn't match it then I would be interested to see the relevant snippets of your config and 'show' output.

object-group service WEBPORTS tcp

port-object eq 80

port-object eq 443

access-list incoming permit tcp any any object-group WEBPORTS

show access-list incoming

...would show something along the lines of.

access-list incoming line 1 permit tcp any any object-group WEBPORTS

access-list incoming line 1 permit tcp any any eq http (hitcnt=0)

access-list incoming line 1 permit tcp any any eq https (hitcnt=0)

New Member

Re: Hit count is not seen on a access-list

Thanks for information !!!

193
Views
0
Helpful
4
Replies