ACL counters not showing

  • 0
  • 1
  • Problem
  • Updated 7 months ago
  • Not a Problem
Hi,  I have an ACL defined to manage general access between subnets across switches, and as part of that some rules have counters assigned to them.  The problem I am having is that when I use the show access-list counter command, not all of my counters are showing and I get a list that lookes similar to the below :

# show access-list counter
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
ACCESS_CONTROL    *                *      ingress
    Rule1                                           163
    Rule2                                           0
    Rule3                                           0
  not well-formed (invalid data)

if anyone can help I would like to know why it says "not well-formed (invalid data)"
 Also if anyone has experience with defined counters not appearing... 

i have compared ACL defined rules and cannot see any obviuos syntax differences between rules where the counter works and rules where it does not..  i havwe working counters and non working counters from rules both pretty much identical to the below:

entry Rule1 {
    if {
        source-address x.x.x.x;
        destination-address y.y.y.y;
       }
    then {
        permit;
           count Rule1-Counter;
}
}


Any comments appreciated

Thanks
Photo of Rich

Rich

  • 230 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,476 Points 2k badge 2x thumb
are x-x-x-x and y-y-y-y always on different subnets both routed via your current device?
Photo of Rich

Rich

  • 230 Points 100 badge 2x thumb
To say they are routed by the current device is not entirely accurate but could be depending on VRRP master / backup status etc...  This ACL does exist on all device which could prossibly handle the L3 traffic defined in the rule...  Communication between these x and y is blocked by a catch all at the bottom of the ACL unless specific IPs are defined as per the above example.  The issue is not that the counter is not incrementing, but that is does not appear in the list at all.......
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 5,998 Points 5k badge 2x thumb
Hi Rich,

If the ACL is applied in the egress direction then you need to check the counter with the command 
"show access-list counter egress"

Can you check if this helps!
Photo of Ariyakudi Srinivas, Muthuraman

Ariyakudi Srinivas, Muthuraman, Employee

  • 994 Points 500 badge 2x thumb
Hi Rich,

Just to be sure that the entire policy has been written correct, please check if the policy is good with the command below,

#check policy <policy name> (the extenstion is not necessary in this command).

If the policy is good, the output should be something similar to below,

# check policy HTTP-RETURN --- (HTTP-RETURN is my sample policy name)
Policy file check successful.
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hi Rich,

can you post:
1) what EXOS you use and the switch ?
2) you see that issue only on one device or more ?
3  if you have more devices, they have  the same EXOS ? 


--
Jarek
Photo of Rich

Rich

  • 230 Points 100 badge 2x thumb
OK all... Thanks for all your replies.  Its all good info :-)

  • I have checked the policy syntax with the check policy xxx command and check policy xxx access-list command all pass OK.
  • I have refreshed the policy each time
  • I have tried show access-list counter <CR> as well as specifying ingress|egress  and cannot see some defined counters
  • I have looked at the policy characters, name lengths etc... and compared some working rule counters with non workers and cannot really see any "character convention" or line length issues which contravene a working rule...
i am now wondering if I have hit a limit on the number of cou nters I can define in an ACL?  Does anyone know if limitations are in force for this?

  • The "not well formed" statement at the bottom of my displayed counters still bothers me.  Does anyone else see this?
  • The counters I can see in the list seem to be random and not as if the first 8 in the ACL work (which would be more logical).

The main L3 devices using this ACL are X670V-48x on 16.1.3.6

Thanks in advance...
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Do you use any special characters in the counter name
like " & .(dot ) + - _ % ",  etc ?

Or the counter name contains  only a-z A-Z 0-9 ?

--
Jarek
Photo of Ariyakudi Srinivas, Muthuraman

Ariyakudi Srinivas, Muthuraman, Employee

  • 994 Points 500 badge 2x thumb
Hi Rich,

In regards to the counters, on Summit family switches, the maximum number of packets that can be counted with token packet-count or count is 4,294,967,296. On the same switches, the maximum number of bytes that can be counted with byte-count is also 4,294,967,296 which is equivalent to 67,108,864 packets that are sized at 64 bytes.

The above piece of information is from the EXOS User Guide.

And considering the acl usage in the switch. The output of "show access-list usage port <port#>" can give you an idea of the available space for ACL that is configurable. 

But then, if the ACL limit is hit, you would ideally get an error message something in the lines of "Error: ACL install operation failed - slice hardware full for vlan *, port <port#>". But this does not seem to be the case when applying the ACL in the switch.

Thank You,
Photo of Rich

Rich

  • 230 Points 100 badge 2x thumb
Thanks for the comments Ariyakudi. 

I will look at this in more detail, but my initial thought is that the maximum "count" value is not being hit.  I cant help going back to the "not well-formed (invalid data)" statement being displayed to me when I look at the list of counters.  Are you able to find out what would cause this output from the "show acces-list counter" command?  I also wonder if any other ACL's you have access to might also show this?

I have looked at my ACL over and over and I just cannot see any discernable difference (in the ACL) between defined counter statements that are listed by the show command and those which are missing?



here is an example of the output when I look at counters (it is identical on other switch also having the same ACL) :

(fig A) :

# show access-list counter
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
ACCESS_CONTROL    *                *      ingress
    Allow103_to200&201_counter     329422
    Allow10_68_to201_58_counter    0
    Allow10_68_to201_59_counter    0
    Allow10_68_to201_61_counter    0
    Allow10_68_to201_62_counter    0
    Allow144_to102_RDP_Counter     0
    Allow144_to240_RDP_Counter     0
    Allow145_to200&201_counter     0
    Allow178_200_to200_8080_counter 0
    Allow_100_to200&201-Counter    1194658
not well-formed (invalid data)


Here are some rules from the ACL.  I have copied out a rule which is shown in the "show" output and one that is not.....

Does not show:

entry Allow_MAPI_to200 {
    if {
    source-address x.x.x.x;
    destination-address y.y.y.y;
       }
    then {
    permit;
       count Allow_MAPI_to200-Counter;

Does show :

entry Allow_100_to200&201 {
    if {
    source-address a.a.a.a;
    destination-address b.b.b.b;
}
    then {
    permit;
       count Allow_100_to200&201-Counter;
    }
}




Additionally the list of "shown" counters (fig A) (above) does seem to be identical on multiple switches (using the exact same ACL in the same way)
but the layout does not seem to be drawn out of the ACL script in an logical order, and does not lead to any clue as the where in the script an error might be, or why counters from much further down the ACL are listed higher than others in (fig A)?


Do you think I should raise this to GTAC?



Thanks in advance for any further help..
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hmmm... maybe it is similar issue -> https://gtacknowledge.extremenetworks.com/articles/Solution/ACL-counter-not-printed-correctly-in-cle...

Please try change counter name and use only a-z A-Z 0-9 and  _  -     chars.

--
Jarek
Photo of Rich

Rich

  • 230 Points 100 badge 2x thumb
Hi All.  I know this reply is 6 months old now.......  This issue went back below radar for a while, and now has raised its head again....   boo, hiss, boo.....

Anyway, I did try changing the naming convention of counters and no difference was seen.  The code on the switches in question has been updated and is now 16.1.3.6.

Does anyone else see this "not well-formed (invalid data)" line at the bottom of their counter list?

What is odd, is that some of the counters showing actuall appear to have longer names, use a non standard character (&) and are further down the ACL than other defined counters which do not appear in the counter list?

If anyone else has seen this it might give me an idea on why the ACL passes syntax checking but the deinfed counters seem to be random in the fact that some work and some dont...

Thanks

Rich