Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
887
Views
0
Helpful
1
Replies

how does a cisco asa increment an acl's hit counts in aces using object-groups vs. the expanded ace entries?

Cody Hartley
Level 1
Level 1

‎09-19-2014 02:16 PM - edited ‎03-11-2019 09:47 PM

I have a cicso asa 5510 running ASA version 9.1(4) and the following ACE when expanded shows a "0 hit count" acl line that is expanded to ace's that have hit counts. Is this a bug???

access-list outside_acl line 1 extended permit object-group OG-SIP_SVCS 1.1.1.1 255.255.255.255 object obj-inside-ip (hitcnt=0) 0x0fb61f6b 
  access-list outside_acl line 1 extended permit tcp 1.1.1.1 255.255.255.255 host 192.168.1.1 eq sip (hitcnt=0) 0x5f1e7341 
  access-list outside_acl line 1 extended permit udp 1.1.1.1 255.255.255.255 host 192.168.1.1 eq sip (hitcnt=3459) 0x80891f5c 
  access-list outside_acl line 1 extended permit tcp 1.1.1.1 255.255.255.255 host 192.168.1.1 eq 5061 (hitcnt=0) 0x16e45ad0 

 

 

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎09-19-2014 03:36 PM

I would consider that a bug. On my ACLs I often see the hitcount of the first line as the overall hitcount, but sometimes it doesn't match at all. So it's best to only look at the individual ACE-counters.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card