Access list hit counts

 Hello Mates,
Am getting a very rare type problem while I implement the aCL on 3850 switch
I do get hit matches when I put a log keyword in the ACL 102
SW#sh ip access-lists
Extended IP access list 102
    5 permit tcp 192.168.0.0.0 0.0.255.255 196.189.80.0 0.0.0.15 eq 23 log (28 matches)
But when I remove the log keyword then I don't get any matches.
SW#sh ip access-lists
Extended IP access list 102
    5 permit tcp 192.168.0.0.0 0.0.255.255 196.189.80.0 0.0.0.15 eq 23 (no matches )
Please assist.

To understand your issue I think it is helpful to start from the understanding that the hit count is maintained as the access list is processed in software (as is generally the case in layer 3 routers). We get a somewhat different situation in layer 3 switches. If the access list is processed in software (as is necessary when the entry includes the log parameter) then the hit count increments. But when the decision is made in hardware then the right behavior of traffic is achieved but the hit count is not incremented.
HTH
Rick

Similar Messages

  • L2L VPN Access-list crypto-interesting

    Hi Everyone,I have a question.
    I have ASA1 and ASA2 connected over a private IP cloud and two hosts behind each of the ASAs.
    The tunnel is up and I can ping from host1 which is behind ASA1 host2 which is behind ASA2 over the VPN tunnel.
    When I do show crypto ipsec sa on ASA2 I see
    #pkts encaps: 451, #pkts encrypt: 451, #pkts digest: 451
          #pkts decaps: 451, #pkts decrypt: 451, #pkts verify: 451
    and they are increasing, with every ping I send from host1 to host2. But when I do sh access-list cryptointeresting which defines my crypto interesting traffic on ASA2 I don't see increasing hits with every ping I send from host1 which is behind ASA1.
    The question is if I am supposed to see crtyptointeresting access-list hits increasing on ASA2, when I ping host2(behind ASA2) from host1 which is behind ASA1 on the other end.
    Thanks

    Hi my friend.
    When you ping from ASA1 to ASA2 you will not see hitcounts on the ACL from ASA2. That happens because for the hitcount number to increase the traffic must match the direction defined on the ACL.
    Basically when you ping from ASA1 to ASA2 the traffic doesnt match the direction of the crypto ACL on ASA 2 (which is defined from ASA2 LAN to ASA1 LAN) therefore it doesnt count as a hit.
    You do see packets decrypted and decapsualated because the traffic matched the conditions previously negotiated for the VPN Tunnel, then the traffic gets encryped and sent thru the tunnel.
    I hope this clarifies your questions.
    BTW sorry I didnt get back to you on your second NAT post, I see that Varun gave you a great answer .
    Have fun!
    Raga

  • Please.... How do I access my iweb counter hits?

    I've been surfing on and off for a year or so. looking to how to access the hits. I gave up and than tried to insert a html counter and of course that didnt work. For a user friendly program, this is one thing that I am missing. Please end my **** and tell me how to access my iweb counter hits. Thank you.

    Are/were you not able to view the counter on your web page?  Viewing the count on your web page is the only info that iWeb's counter can give you. If you intend on using iWeb after MMe has been shutdown the following may be of interest to you:
    It is now known that iWeb, and iDVD, has been discontinued by Apple. This is evidenced by the fact that new Macs are shipping with iLife 11 installed but without iWeb and iDVD.
    On June 30, 2012 MobileMe will be shutdown. However, iWeb will still continue to work but without the following:
    Features No Longer Available Once MobileMe is Discontinued:
    ◼ Password protection
    ◼ Blog and photo comments
    ◼ Blog search
    ◼ Hit counter
    ◼ MobileMe Gallery
    All of these features can be replaced with 3rd party options.
    I found that if I published my site to a folder on my hard drive and then uploaded with a 3rd party FTP client subscriptions to slideshows and the RSS feed were broken.  If I published directly from iWeb to the FPT server those two features continued to work correctly.
    There's another problem and that's with iWeb's popup slideshows.  Once the MMe servers are no longer online the popup slideshow buttons will not display their images.
    Click to view full size
    However, Roddy McKay and I have figured out a way to modify existing sites with those slideshows and iWeb itself so that those images will display as expected once MobileMe servers are gone.  How to is described in this tutorial: #26 - How to Modify iWeb So Popup Slideshows Will Work After MobileMe is Discontinued.
    It now appears that the iLife suite of applications offered on disc is now a discontinued product and the remaining supported iApps will only be available thru the App Store from now on. However, the iLife 11 boxed version that is still available at the online Apple Store (Store button at the top of the page) and those still on the shelves of retailers will include iWeb and iDVD. Those two apps were listed in small, gray text on the iLife 11 box that I bought.
    Personally, if I didn't already have a copy I would purchase one to have it for reinstallation purposes if ever needed.
    This may be of some interest to you: Life After MobileMe.
    OT

  • Packets not hitting the route-map's NAT access-list

    Hi Everyone,
    I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
    interface GigabitEthernet0/1.102
    description "xxx"
    encapsulation dot1Q 102
    ip address 10.300.301.1 255.255.255.0
    ip access-group xxx_ACL in
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat pool ???_POOL ??
    ip nat pool ???_POOL ??
    ip nat pool ???_POOL ??
    ip nat pool xxx_POOL ??
    ip nat inside source route-map ??? pool ???_POOL overload
    ip nat inside source route-map ??? pool ???_POOL overload
    ip nat inside source route-map xxx pool xxx_POOL overload
    ip nat inside source route-map ??? pool ???_POOL overload
    ip access-list extended xxx-VPN
    remark VPN to xxx
    permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
    permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
    ip access-list extended xxx_ACL
    deny   ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
    permit ip any any
    ip access-list extended xxx_NAT
    deny   ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
    deny   ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
    permit ip 10.300.301.0 0.0.0.255 any
    route-map ??? permit 10
    match ip address ???_NAT
    route-map xxx permit 10
    match ip address xxx_NAT
    route-map ??? permit 10
    match ip address NAT_???
    route-map ??? permit 10
    match ip address ???_NAT
    control-plane
    banner motd ^C

    As that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
    So just a guess:
    The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
    HTH, Karsten

  • .Mac front page hit counts list

    Using iWeb with .Mac, I get hit counts only for the top 5 pages in my .Mac front page status column. I assume that's a standard and have found no settings to permit me to change this.
    Is this it? Can we only monitor the counts for our top 5 pages without having to actually visit (and influence the counts of) the other pages?
    If I'm missing something, I'd be grateful for a friendly hint on how to passively observe the hit totals on all marked pages. If this is just the nature of the beast, chalk it up as another straw in the growing pile under the sign labeled "frustrating shortcomings."

    That's the way it's been since the Homepage days too. I'm not aware of any other way to show the "hits" for more than just the top 5.

  • Hit counter in jsp

    hi
    i want to know that how can we implement hit counter in our jsp page
    i want 2 hit counter
    1-total number of hits on page
    2-total number of online members at that time
    send me soon

    i have a list of links(which are links to other web applications which i didn't make and can't access) in my jsp retrieved from a table in my database which stores the link name and the number of hits and in their <a href> tag, i redirect them to another jsp, say for example, count.jsp
    in my count.jsp, i get the index of the link i clicked and pass it to my java bean which in turn queries for the url of the link and passes it back to my count.jsp. i laso query for the existing number of hits from the table in the db which is set to 0 by default and also pass it back to my count.jsp
    in my count.jsp, i increment the number of hits by 1 and pass it back to the bean to update the database.
    while this is done, i redirect the count.jsp to the url i retrieved from my bean.
    this could be different if your links are readily accessible and editable by you. you could just add a scriptlet in that link that increments the number of hits in your database.
    i hope you got my point and i hope i helped....

  • Configuring Extended Access List with Any statement

    I have several questions where I'm fuzzy on a configuration already on my network.  Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
    1.  Are extended access-lists always source then destination?  Like in the following statement:
    permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
    2.  Further down though there is:
    permit tcp any host 172.16.4.11 eq 443.
    In that case is the source any host and the destination 172.16.4.11 ?
    This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
    3.  Also, when you do a:
    sho ip access-list -
    Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
    Thanks!

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • ACL Hit Counts

    ACL hit counts
    Hi,
    I jsut needed to clarify something, i have a data Center & branch Office connected to each other through IPSec VPN. I also have SSL-VPn configured on the firewall in my data center, the same firewall on which the IPSec VPn from my branch offfice terminates.
    I retrieved some ACL logs from the ASA in the data center and all the hit counts shon are zero even when the connection is established and my branch office users are able to access all resources.
    e.g. access-list CRYPTO_XXXXX line 8 extended permit ip x.x.x.x 255.255.0.0 y.y.y.y 255.255.255.0 (hitcnt=0) 0x8142efc9
    All the ACL are like this where y.y.y.y is the branch office subnet
    I also have another ACL which poped up on my SSL VPN ACL as shown below
    e.g. access-list DAP-ip-user-906E4E06 line 1 extended permit ip x.x.x.x 255.255.255.0 host y.y.y.y (hitcnt=22162) 0x440bdd04
    access-list SSLVPN-CORP-ACL line 1 extended permit ip x.x.x.x 255.255.255.0 host y.y.y.y(hitcnt=0) 0xc9d27468
    can anyone tell me why is my hit count is zero for both CRYPTO ACL and the SSLVPN-CORP-ACL even when the connection is established?
    Second, what is DAP-ip-user-906E4E06? why is it showing such?
    Thanks a lot in advance.

    Hi Jennifer,
    many thanks for the response.
    I totally agree regarding the traffic initiation and hit count. I have totally 5 branch office and the same traffic initiation test when i try on the other branch offices, i can see the increase on their respective firewalls.
    Any idea what might be wrong with the fiorst branch and why the hitcount does not increase.
    The DAP policies were created 2-3 years back and i havent seen any such logs so far, i think this is the first time.
    I have used RSA appliance for authenticating the users and remember enabling RADIUS on it. Will it cause of that.
    regards

  • ASDM hit count

    Hi
    for some reason ASDM hit count showing only for some rules not all.
    I'm sure traffic must be hitting the rule, but not reflected on ASDM hitcount and ASA CLI sh access-list command
    It's running on ASA 8.0(4) and ASDM 6.1(3).
    Is this known bug ?

    Hi Rajesh,
    It could be possible that the access-list that there may be an access-list above the one you are checking which also allows to pass the interesting traffic.
    Just to clear out the confusion please try to place the access-list on line 1 and check if the hit counts increase after that or not.

  • Hit count in ASA

    Hi everyone,
    Need to confirm how hit count is incremented in ASA.
    I am pinging IP from PC connected to ASA  .
    PC has send 4 packets
    Here is ASA info
    ciscoasa#                                                         sh access-li$
    access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)
                alert-interval 300
    access-list ICMP; 1 elements; name hash: 0x2d2cf426
    access-list ICMP line 1 extended permit icmp any any echo-reply log informational interval 300 (hitcnt=3) 0x0b307247
    ciscoasa#  ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=33 len=32
    ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335
    ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=33 len=32
    ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1
    ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=34 len=32
    ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335
    ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=34 len=32
    ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1
    ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=35 len=32
    ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335
    ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=35 len=32
    ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1
    ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=36 len=32
    ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335
    ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=36 len=32
    ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1
    ciscoasa#                                                         sh access-li$
    access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)
                alert-interval 300
    access-list ICMP; 1 elements; name hash: 0x2d2cf426
    access-list ICMP line 1 extended permit icmp any any echo-reply log informational interval 300 (hitcnt=4) 0x0b307247
    We can see that after the ping hit count has gone from 3 to 4.
    So does  this mean that for every 4 packets sent by PC  Hit count increments with 1?
    Thanks
    Mahesh

    Yes, that is correct.
    Access-list on ASA only matches on the first connection, and the subsequent packets within the same connection will be allowed by default as it is part of the same connections. ASA is a stateful firewall so it has a state table to store the existing connections.
    Hope that helps.

  • Problem with ACLs hit counts

    Hello
    I've applied the following ACL to an interface but don't see the hit counts (e.g. something like
    30 deny tcp any any (58 hw matches)):
    RP/0/RSP0/CPU0:test#show access-lists ipv4 2020
    Fri Aug 26 09:34:48.094 HKT
    ipv4 access-list 2020
    10 deny ipv4 any host 202.146.219.55
    20 deny ipv4 any host 218.213.235.211
    30 deny ipv4 any host 116.193.159.79
    50 deny ipv4 any host 111.68.2.101
    60 deny ipv4 any host 112.121.170.43
    77 deny ipv4 host 117.211.87.202 any
    78 deny ipv4 host 202.29.220.238 any
    79 deny udp any host 218.213.92.3
    80 deny udp any host 218.213.91.45
    81 deny ipv4 host 59.42.249.51 host 218.213.91.45
    Also got the following:
    RP/0/RSP0/CPU0:test#show access-lists ipv4 2020 hardware ingress interface gigabitEthernet 0/0/0/31 sequence 81 location 0/0/CPU0
    Fri Aug 26 09:34:52.209 HKT
    The interface does not have per-interface statistics enabled
    RP/0/RSP0/CPU0:test(config-if)#ipv4 access-group 2020 ingress  interface-statisticsRP/0/RSP0/CPU0:test(config-if)#commitMon Aug  29 09:44:42.725 HKT
    % Failed to commit one or more configuration items  during a pseudo-atomic operation. All changes made have been reverted. Please  issue 'show configuration failed' from this session to view the errors
    Is there any configuration still missing?? 
    Pls help.  Thanks!

    Thanks!
    Have tried but still got the following:
    RP/0/RSP0/CPU0:test(config-if)#show config failed
    Wed Aug 31 09:41:58.730 HKT
    !! SEMANTIC ERRORS: This configuration was rejected by
    !! the system due to semantic errors. The individual
    !! errors with each failed configuration command can be
    !! found below.
    interface GigabitEthernet0/0/0/23
    ipv4 access-group 2020 ingress hardware-count interface-statistics
    !!% 'pfilter-ea' detected the 'warning' condition 'Mode mismatch.ACL has been applied in different modes on this LC - interface stats and ace stats. '
    end
    Could you let me know the reason?  Thanks again.

  • IWeb Hit Counter Widget

    My counting widget has disappeared from the widget list in iWeb. I deleted it from my page. How do I get it back?

    Try using the Insert->Button->Hit Counter menu option. If that fails then you might have to reinstall iWeb from the disk it came on. To do so you'll have to delete the current application and all files with "iWeb" in the file name that reside in the HD/Library/Receipts folder. Reinstall iWeb and apply the latest updaters.
    OT

  • Hit Counter For Web Site Now Working?

    I have a web site that was published with iWeb 06. I am using a domain name at GoDaddy and forwarding to .Mac using masking so the site shows with the domain name not the .Mac address. If you went to the site by entering the domain name the hit counter on the first page would not show. However, if you entered the .Mac address to go to the site the counter would show.
    Well the site was republished and upgraded with iWeb 08. Recently I noticed that the hit counter now shows regardless of how you go to the site. I was pleasantly surprised but when did this happen? Of course as others have noticed, on my .Mac home page on the side bar where the website pages are listed the counter numbers no longer show. So they took something away and gave something back?
    John

    I don't think Apple meant to take away the .Mac counter section of the .Mac page. I think it's a bug that they have yet to resolve. It would be interesting to see if anyone has asked Apple about this and if they gave a definitive answer?

  • Iweb page hit counter

    If you are a .mac user you can click on Mac in the top menu bar. It lists Account, Mail, Address Book, My Pages, etc. Under My Pages, it lists hits for my . mac homepage pages and now I notice it will show hits for 5 of my iweb pages, but how can I choose which pages it it will show the hits to? My home page is the only page which has a counter and it is not one of those listed.
    Here is my site. http://web.mac.com/hooktrunk
    Dan

    Thanks. That was such a simple answer I feel quite silly. I wish I could assign certain pages instead. Oh well. Thanks again.

  • Hostname(with wildcards) based access-list or policy.

    Is there any way in cisco to use hostnames with wildcards either in ACL, or Policy, class map etc, for example I want to identify following devices with one keyword..for blocking/permit etc
    UKlondon001
    UKlondon002
    UKlondon003
    Uklondon004
    UKlondon005
    I want to capture all these with wildcard UKlondon*
    something like regular expressions...

    You can group them in object-groups. You'll need to configure their names and then create an object group:
    name 10.5.5.5 uklondon001
    name 10.5.5.6 uklondon002
    object-group network UKLONDONS
    network-object host uklondon001
    network-object host uklondon002
    access-list permit tcp any object-group UKLONDONS eq 80
    The above (from memory so don't quote me) will allow any traffic to hit any of those servers on port 80.
    If you're wanting to do this for certain websites like youtube.com or google.com, you'll need to use regex and class-maps.
    HTH,
    John

Maybe you are looking for

  • SOA Suite 11g composite application deployment to SOA cluster?

    What is the best practice for 11g composite app deployments to a SOA cluster? Currently, when customer deploys SOA composite it only gets deployed to one of the SOA managed servers in the cluster and the only way for them to sync up SOA1 and SOA2 is

  • [RE: makeTransactional] (second attempt)

    Craig et al., We either have confusion on my part, lack of clarity in the spec, or a bug in Kudo. Can you perform some triage? Thanks, David "White, Abe" wrote: David -- This is an excellent question. I believe that Kodo's behavior is correct; i.e. t

  • Error Invalid field format (screen error) in module pool

    Hi experts i am doing module in whichi had many check boxes on screen and each check box has function code means i want to do some thing else . but as i click the first or any other check box i get a error message INVALID FIELD FORMAT (SCREEN ERROR).

  • Inconsistent update flags (Notification E C( 004)

    Hi Friends,      When I processed the order in CRM Online it got replicated to R/3      and from R/3 Delivery and invoice got created and document is completed.      The Issue is that the Bdoc which has to replciate the Delivery and Invoice back to C

  • IPhone's Map program

    When will iPhone's Map program feature turn by turn voice directions. I thought it would be a reality by now.