Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hits seen in Top 10 Access Rules but not in CLI

ASA Version: 8.2(2)

ASDM Version: 6.2(5)

Device Type ASA 5510

I see hits in the "Top 10 Access Rules" but see nothing in the "Access Rules" page and the CLI. Does this look like a bug or am I missing something? Thanks in advance!

Top 10 Access rules show hits. For e.g. Rule 177, 189, and 190.

img1.png

The Access Rules page in ASDM does not show any hits but has "Top 10" marked.

img2.png

The CLI shows no hits for rule 177:

MyASA# show access-list | include 177

access-list outside_access_in line 177 extended permit object-group TCPUDP object-group MyName object-group ActiveDirectoryServers object-group ActiveDirectory 0x0a4449d8

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 389 (hitcnt=0) 0xa44bd570

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 445 (hitcnt=0) 0x4c0d225b

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 88 (hitcnt=0) 0xda11f206

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq domain (hitcnt=0) 0xadb35eeb

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq ntp (hitcnt=0) 0x54e1942c

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 3268 (hitcnt=0) 0x4815484d

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 135 (hitcnt=0) 0x4ee5e504

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 1025 1026 (hitcnt=0) 0x78c1a00a

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq www (hitcnt=0) 0x547c7f3f

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 139 (hitcnt=0) 0x675a8434

  access-list outside_access_in line 177 extended permit udp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 49152 49200 (hitcnt=0) 0x041ee127

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq ldap (hitcnt=0) 0xefd4becb

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 445 (hitcnt=0) 0x22c6df99

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 88 (hitcnt=0) 0x6c69d270

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq domain (hitcnt=0) 0x958ad172

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 123 (hitcnt=0) 0x004630da

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 3268 (hitcnt=0) 0x3b13d00e

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq 135 (hitcnt=0) 0x98307d89

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 1025 1026 (hitcnt=0) 0xd1d12d12

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq www (hitcnt=0) 0x46d6d2ed

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 eq netbios-ssn (hitcnt=0) 0x20a6e7bf

  access-list outside_access_in line 177 extended permit tcp 10.14.7.0 255.255.255.0 10.100.100.0 255.255.255.0 range 49152 49200 (hitcnt=0) 0x15dbf9ad

Everyone's tags (7)
19 REPLIES
VIP Green

Hits seen in Top 10 Access Rules but not in CLI

This does sound a lot like a bug, though I have not been able to find any bug reports about it.  If it is an option, try upgrading the ASA and ASDM to a slightly newer version.

--

Please remember to rate and select a correct answer
VIP Green

Hits seen in Top 10 Access Rules but not in CLI

Were you able to upgrade the ASA and ASDM? did this solve the issue?

Please rate any helpful posts.

--

Please remember to rate and select a correct answer
Silver

Hits seen in Top 10 Access Rules but not in CLI

Silver

Hits seen in Top 10 Access Rules but not in CLI

https://tools.cisco.com/bugsearch/bug/CSCtj67289/?reffering_site=dumpcr

Please update your ASDM version to 7.1.4

Value our effort and rate the assistance!
Silver

Hits seen in Top 10 Access Rules but not in CLI

Please rate the assistance

Value our effort and rate the assistance!
VIP Green

Hits seen in Top 10 Access Rules but not in CLI

Do you still require assistance with this ticket?  If not please rate all helpful posts

--

Please remember to rate and select a correct answer
Silver

Hits seen in Top 10 Access Rules but not in CLI

Help is for free then we need you to rate the assistance.

Value our effort and rate the assistance!
Silver

Hits seen in Top 10 Access Rules but not in CLI

Help is for free but we need you to rate the assistance.

Value our effort and rate the assistance!
New Member

Hits seen in Top 10 Access Rules but not in CLI

Hello. My apologies for the delay. I was off work for a few days. Just got back into the office today. Please give me some time to read/research the replies. I will add my ratings.

New Member

Hits seen in Top 10 Access Rules but not in CLI

Bug CSCsl30904 matches up with what I see.

Bug CSCtj67289 does not match up with my issue.

I will install the new ASDM 7.1.4 in the next few days and provide an update.

New Member

Hits seen in Top 10 Access Rules but not in CLI

Bug CSCsl30904 shows Known Fixed Releases: 6.0(3.50) and 6.1(0.35). I am on ASA Version: 8.2(2) and ASDM Version: 6.2(5).

I will upgrade the ASDM version to 7.1.4, but I think this requires an ASA upgrade to truly fix, as I am seeing the same zero counters in the CLI.

VIP Green

Hits seen in Top 10 Access Rules but not in CLI

Let us know how it goes,

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
New Member

Re: Hits seen in Top 10 Access Rules but not in CLI

This functionality is still broken in ASA 8.3(2) and ASDM 7.1(4). The Access Rules hits are still showing 0, but the Top 10 shows valid hits. The CLI also shows 0 hits.

http://i.imgur.com/aIrBJuB.png

http://i.imgur.com/7WNNGUb.png

access-list outside_access_in line 29 extended permit ip object-group SaabTestASA object-group Q-LAN 0x5cc09292

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.100.0.0 255.255.0.0 (hitcnt=0) 0x688c7eb7

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 172.20.1.0 255.255.255.0 (hitcnt=0) 0x0e1cdb8a

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.40.40.0 255.255.255.0 (hitcnt=0) 0x32c8018e

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.130.0.0 255.255.0.0 (hitcnt=0) 0xdc32b863

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.140.0.0 255.255.0.0 (hitcnt=0) 0x88bbd947

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.150.0.0 255.255.0.0 (hitcnt=0) 0x1c21f374

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 172.16.125.0 255.255.255.0 (hitcnt=0) 0x5cc1b4df

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 130.94.124.0 255.255.255.192 (hitcnt=0) 0xf60a4f68

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.120.0.0 255.255.0.0 (hitcnt=0) 0x9af079b2

New Member

Hits seen in Top 10 Access Rules but not in CLI

I will proceed to try 8.4 and 9.1 in th next few days or weeks. Hopefully the newer releases give me better results.

Happy Holidays to everyone!

Hits seen in Top 10 Access Rules but not in CLI

Please avoid the 8.3 track ( That's really buggy).

Let us know the result while being on 8.4 or 9.

Any questions you have contact me directly at julio17carvajal@hotmail.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Hits seen in Top 10 Access Rules but not in CLI

This functionality is still broken in ASA 8.4(7) and ASDM 7.1(4).

http://i.imgur.com/1bNJpfZ.png

http://i.imgur.com/fdwetgb.png

# show access-list | include access-list outside_access_in line 29

access-list outside_access_in line 29 extended permit ip object-group SaabTestASA object-group Q-LAN 0x5cc09292

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.100.0.0 255.255.0.0 (hitcnt=0) 0x688c7eb7

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 172.20.1.0 255.255.255.0 (hitcnt=0) 0x0e1cdb8a

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.40.40.0 255.255.255.0 (hitcnt=0) 0x32c8018e

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.130.0.0 255.255.0.0 (hitcnt=0) 0xdc32b863

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.140.0.0 255.255.0.0 (hitcnt=0) 0x88bbd947

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.150.0.0 255.255.0.0 (hitcnt=0) 0x1c21f374

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 172.16.125.0 255.255.255.0 (hitcnt=0) 0x5cc1b4df

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 130.94.124.0 255.255.255.192 (hitcnt=0) 0xf60a4f68

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.120.0.0 255.255.0.0 (hitcnt=0) 0x9af079b2

New Member

Re: Hits seen in Top 10 Access Rules but not in CLI

I wil try 9.x next week. Hopefully it gives better results.

New Member

Re: Hits seen in Top 10 Access Rules but not in CLI

This functionality is still broken in ASA 9.1(3) and ASDM 7.1(5)100. The Top 10 Access Rules shows a hit count, but the Firewall Access Rules still show a 0 hit count (even though the Top 10 is marked in red). The CLI shows the same thing.

http://i.imgur.com/eGfc8kF.png

http://i.imgur.com/zvEnuUF.png

http://i.imgur.com/eYP3hwL.png

(config)# show access-list | include access-list outside_access_in line 29

access-list outside_access_in line 29 extended permit ip object-group SaabTestASA object-group Q-LAN (hitcnt=0) 0x5cc09292

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.100.0.0 255.255.0.0 (hitcnt=0) 0x688c7eb7

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 172.20.1.0 255.255.255.0 (hitcnt=0) 0x0e1cdb8a

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.40.40.0 255.255.255.0 (hitcnt=0) 0x32c8018e

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.130.0.0 255.255.0.0 (hitcnt=0) 0xdc32b863

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.140.0.0 255.255.0.0 (hitcnt=0) 0x88bbd947

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.150.0.0 255.255.0.0 (hitcnt=0) 0x1c21f374

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 172.16.125.0 255.255.255.0 (hitcnt=0) 0x5cc1b4df

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 130.94.124.0 255.255.255.192 (hitcnt=0) 0xf60a4f68

  access-list outside_access_in line 29 extended permit ip 10.140.50.0 255.255.255.0 10.120.0.0 255.255.0.0 (hitcnt=0) 0x9af079b2

New Member

Re: Hits seen in Top 10 Access Rules but not in CLI

To sum it up:

I have tested and reproduced this issue in the following releases of ASA and ASDM:

  • ASA 8.2(2) and ASDM 6.2(5)
  • ASA 8.3(2) and ASDM 7.1(4)
  • ASA 8.4(7) and ASDM 7.1(4)
  • ASA 9.1(3) and ASDM 7.1(5)100

Is there any further testing that can be done, or does this indeed sound like a bug that should be fixed by Cisco?

1203
Views
0
Helpful
19
Replies
CreatePlease login to create content