Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

how does a cisco asa increment an acl's hit counts in aces using object-groups vs. the expanded ace entries?

I have a cicso asa 5510 running ASA version 9.1(4) and the following ACE when expanded shows a "0 hit count" acl line that is expanded to ace's that have hit counts. Is this a bug???

access-list outside_acl line 1 extended permit object-group OG-SIP_SVCS 1.1.1.1 255.255.255.255 object obj-inside-ip (hitcnt=0) 0x0fb61f6b 
  access-list outside_acl line 1 extended permit tcp 1.1.1.1 255.255.255.255 host 192.168.1.1 eq sip (hitcnt=0) 0x5f1e7341 
  access-list outside_acl line 1 extended permit udp 1.1.1.1 255.255.255.255 host 192.168.1.1 eq sip (hitcnt=3459) 0x80891f5c 
  access-list outside_acl line 1 extended permit tcp 1.1.1.1 255.255.255.255 host 192.168.1.1 eq 5061 (hitcnt=0) 0x16e45ad0 

 

 

Everyone's tags (1)
1 REPLY
VIP Purple

I would consider that a bug.

I would consider that a bug. On my ACLs I often see the hitcount of the first line as the overall hitcount, but sometimes it doesn't match at all. So it's best to only look at the individual ACE-counters.

276
Views
0
Helpful
1
Replies
CreatePlease to create content