Why ACL hitcnt number do not change after ping other side user in asa vpn

Hi Expert
I have a question when i am doing lan to lan vpn. After i setup the vpn, one side user can ping other side user, but i notice after i show access-list in asa, the result show hitcnt number do not change. i do not know why it happen like that since the traffic goes through that acl.

Please see the following:

ASA# sh access-list  
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Sales; 8 elements; name hash: 0x98ffc0
access-list Sales line 1 extended permit ip 10.154.179.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=3) 0x98950ed
EESkyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan Huseyin KayahanCommented:
Ping is a member of ICMP protocol suite not IP protocol. Add a line allowing/denying icmp and observer the results.
access-list line 2 extended permit icmp any any
Pete LongTechnical ConsultantCommented:
Yep ICMP is a different protocol suite, your ACL is for IP

PL
EESkyAuthor Commented:
Thanks for your fast reply. i removed all ACL and added new one which just allow icmp go through the tunnel. however i noticed the number of hitcnt is not related with ping times. And the hitcnt is not 0, but it is 3. I am curious about which packet cause the 3
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Alan Huseyin KayahanCommented:
ICMP is a protocol suite and other utilities like traceroute might have been run as well.
For a more granular monitoring, you can open ASDM and view syslogs, filter with the source IP maybe.
EESkyAuthor Commented:
The hitcnt number might not related with vpn’ acl
Alan Huseyin KayahanCommented:
Can you elaborate on "VPN's ACL"? There are various points to place ACL. Can you post the part of the config where you put the acl in use?
EESkyAuthor Commented:
In order to confirm this issue, we use the topology like this:   asa1 ------ R2 ------- asa3.  asa 1 and asa3 can ping each other' outside

We can not know how the 3 (hitcnt=3) come from , and the number here do not change even if ping many times from one side user to other

------------------------------------------------
asa3(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list ACL; 1 elements; name hash: 0xdd71d952
access-list ACL line 1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=3) 0x4dac3083

--------------------
asa1(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 12.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list ACL extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TS esp-3des esp-sha-hmac
crypto map MAP 1 match address ACL
crypto map MAP 1 set peer 23.1.1.3
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha    
 group 2
 lifetime 10000
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 23.1.1.3 type ipsec-l2l
tunnel-group 23.1.1.3 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:35318b1ad2e24441aa8bacec500fe128
: end
asa1(config)#

---------------------------------

asa3(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 23.1.1.3 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.3 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 23.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TS esp-3des esp-sha-hmac
crypto map MAP 1 match address ACL
crypto map MAP 1 set peer 12.1.1.1
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 10000
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha    
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 12.1.1.1 type ipsec-l2l
tunnel-group 12.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:51b5fbcad65f9ef63d6b7029ea909547
: end
asa3(config)#
Alan Huseyin KayahanCommented:
Add the following and try again
access-list ACL extended permit icmp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
EESkyAuthor Commented:
Thank you for your reply. I removed all acl and added new acl for icmp on both asa, the situation is same as before. I think the count (hitcnt) might need access-group. but the count is no zero even if it has no access-group
Alan Huseyin KayahanCommented:
Just observed that you use it for interesting traffic. Read usage guidelines section in the following for your answer.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/c5.html#wp2238243

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EESkyAuthor Commented:
Thank you, Alan. right!
Alan Huseyin KayahanCommented:
You are welcome :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.