Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dechiper ASA ACL Hex ID in Syslog

There is a hex id in ASA syslogs that corresponds to which ACL or ACE line generated the log entry. I know that ADSM uses it, but I want to know how to decipher it for use with other apps.

Anyone figure it out?

See examples below:

%ASA-3-106100: access-list OUTSIDE permitted tcp Outside_VLAN_240/ -> Inside_VLAN_248/SERVER1(80) hit-cnt 1 first hit [0xf2412831, 0xc45cf9c2]

%ASA-3-106100: access-list OUTSIDE permitted tcp Outside_VLAN_240/ -> Inside_VLAN_248/SERVER2(8008) hit-cnt 1 first hit [0x83e69c8, 0xee877a0]


Re: Dechiper ASA ACL Hex ID in Syslog

In the syslog entry, there are two hashes. The first one points to the configured ACE which is the ACE that appears in the "show running-config" output. The second one points to the ACE that is expanded if the configured ACE uses object groups. It will be "0x0" if the ACE does not use object groups. But still it won't be possible to use this with some other application.

New Member

Re: Dechiper ASA ACL Hex ID in Syslog

What I mean by other apps is a log viewer and I would like to know which ACL or ACE put the entry in the log? There is no way to do this you think?

New Member

Re: Dechiper ASA ACL Hex ID in Syslog

I found out how to do it. Here it is:

So let's say a system administrator comes to me and says “I have a new server that needs to send print jobs to a print queue and it's not working. My old server is working though.”

What I want to know is, “What is the rule that allows the old server to work?” so I can add the new server to that rule.

When I look through my syslog server for the “old server” which has the ip address of, I find this:

“%ASA-3-106100: access-list IN_ACL permitted tcp Inside_VLAN/ -> Outside_VLAN/ hit-cnt 1 first hit [0xa00e0f20, 0xb4d3bb50]”

So now I know the ACL line with the hex id “0xa00e0f20” is the line that allowed the packet through.

So I go to my firewall and run the command:

“show access-list | include 0xa00e0f20”

I get the following output:

“access-list IN_ACL line 2 extended permit tcp object-group PRINT_SERVERS object-group ALL_PRINTERS object-group PRINTING_SERVICES log errors interval 300 0xa00e0f20”

I now know that IN_ACL line 2 permitted the traffic and I know that I need to add the new server to the PRINT_SERVERS object.

Alternatively, using the second hex id, you can find the actual ACE that permitted the traffic too:

FIREWALL#show access-list | include 0xb4d3bb50

access-list IN_ACL line 2 extended permit tcp host eq 9100 log errors interval 300 (hitcnt=17803762) 0xb4d3bb50

With this method, you can have many ACL lines and still locate the exact line that is permitting or denying traffic.

CreatePlease login to create content