https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057411#M1110644 <P>Hello all</P><P>I'm receiving hundreds of warning messages i am getting in our syslog from our Cisco ASA 5516-x. The warning message is:</P><P>Message: %FTD-4-419002: Duplicate TCP SYN from it-client-ap:10.245.xx.1x/54557 to outside:5x.1xx.1x9.x/443 with different initial sequence number<BR />Message: %FTD-4-419002: Duplicate TCP SYN from it-client-ap:10.245.xx.1x/50650 to outside:5x.1xx.1x9.x/443 with different initial sequence number<BR />Message: %FTD-4-419002: Duplicate TCP SYN from it-client-ap:10.245.xx.1x/50650 to outside:5x.1xx.1x9.x/443 with different initial sequence number</P><P>This messages appears during working hours when users connected to WIFI office VLAN using the inside ASA port (it-client-ap) and maybe on other vlans like LAN but what im facing now is big numbers of warning massages coming through that interface above</P><P>im not sure if this is kind of flooding attack of kid of DoS attacks but how can i resolve this issue and what kind of show commands that i can use to troubleshoot and try to solve ,</P><P>Note: Also i have no problems with any services on my private network, like internet connection and VPN S2S works fine, though I'm still concerned about what's going on because there's large amount of those logs per day</P><P>Current ASA version is : Cisco ASA5516-X Threat Defense (75) Version 7.0.1 (Build 84)<BR />Also no routing configured on ASA and ASA is directly connected to L3 core switch</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="amralrazzaz_1-1712331470872.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/214986iB3A3FB66C723C733/image-size/medium?v=v2&amp;px=400" role="button" title="amralrazzaz_1-1712331470872.png" alt="amralrazzaz_1-1712331470872.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="amralrazzaz_0-1712331612135.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/214987i4336423384F2BC60/image-size/medium?v=v2&amp;px=400" role="button" title="amralrazzaz_0-1712331612135.png" alt="amralrazzaz_0-1712331612135.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 05 Apr 2024 15:40:42 GMT amralrazzaz 2024-04-05T15:40:42Z https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057411#M1110644 <P>Hello all</P><P>I'm receiving hundreds of warning messages i am getting in our syslog from our Cisco ASA 5516-x. The warning message is:</P><P>Message: %FTD-4-419002: Duplicate TCP SYN from it-client-ap:10.245.xx.1x/54557 to outside:5x.1xx.1x9.x/443 with different initial sequence number<BR />Message: %FTD-4-419002: Duplicate TCP SYN from it-client-ap:10.245.xx.1x/50650 to outside:5x.1xx.1x9.x/443 with different initial sequence number<BR />Message: %FTD-4-419002: Duplicate TCP SYN from it-client-ap:10.245.xx.1x/50650 to outside:5x.1xx.1x9.x/443 with different initial sequence number</P><P>This messages appears during working hours when users connected to WIFI office VLAN using the inside ASA port (it-client-ap) and maybe on other vlans like LAN but what im facing now is big numbers of warning massages coming through that interface above</P><P>im not sure if this is kind of flooding attack of kid of DoS attacks but how can i resolve this issue and what kind of show commands that i can use to troubleshoot and try to solve ,</P><P>Note: Also i have no problems with any services on my private network, like internet connection and VPN S2S works fine, though I'm still concerned about what's going on because there's large amount of those logs per day</P><P>Current ASA version is : Cisco ASA5516-X Threat Defense (75) Version 7.0.1 (Build 84)<BR />Also no routing configured on ASA and ASA is directly connected to L3 core switch</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="amralrazzaz_1-1712331470872.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/214986iB3A3FB66C723C733/image-size/medium?v=v2&amp;px=400" role="button" title="amralrazzaz_1-1712331470872.png" alt="amralrazzaz_1-1712331470872.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="amralrazzaz_0-1712331612135.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/214987i4336423384F2BC60/image-size/medium?v=v2&amp;px=400" role="button" title="amralrazzaz_0-1712331612135.png" alt="amralrazzaz_0-1712331612135.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 05 Apr 2024 15:40:42 GMT https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057411#M1110644 amralrazzaz 2024-04-05T15:40:42Z https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057420#M1110645 <P>check is there is any asymmetric in routing&nbsp;</P> <P>MHM</P> Fri, 05 Apr 2024 15:41:14 GMT https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057420#M1110645 MHM Cisco World 2024-04-05T15:41:14Z https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057423#M1110646 <P>Can you please share with me more details and how to check !?&nbsp;</P><P>No routing configured on the&nbsp; ASA its just&nbsp;</P><P>ISP---ASA---L3 CORE SWITCH</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="amralrazzaz_0-1712331821796.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/214988iDF4618E98BAC967A/image-size/medium?v=v2&amp;px=400" role="button" title="amralrazzaz_0-1712331821796.png" alt="amralrazzaz_0-1712331821796.png" /></span></P><P>&nbsp;</P><P>&nbsp; &nbsp; &nbsp;</P><P>&nbsp;</P> Fri, 05 Apr 2024 15:44:17 GMT https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057423#M1110646 amralrazzaz 2024-04-05T15:44:17Z https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057517#M1110651 <P>It clear there is no need routing all subnet direct connect (except defualt route for internet it needed...)</P> <P>Check this link</P> <P><SPAN><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.html</A></SPAN></P> <P><SPAN>It can DDoS so shun the IP or add ACL drop connect from this IP.</SPAN></P> <P><SPAN>MHM</SPAN></P> Sat, 06 Apr 2024 18:17:05 GMT https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057517#M1110651 MHM Cisco World 2024-04-06T18:17:05Z https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057541#M1110656 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/361173">@amralrazzaz</a> if this traffic is from source inside to outside, then a device on the inside of the network is either spoofing traffic or misbehaving.</P> <SECTION class="body conbody"> <P class="p"><STRONG class="ph b">Error Message </STRONG><CODE class="ph codeph">%<SPAN class="ph">FTD</SPAN>-4-419002: Received duplicate TCP SYN from <EM class="ph i">in_interface</EM> :<EM class="ph i">src_address</EM> /<EM class="ph i">src_port</EM> to <EM class="ph i">out_interface</EM> :<EM class="ph i">dest_address</EM> /<EM class="ph i">dest_port</EM> with different initial sequence number.</CODE></P> <P class="p"><STRONG class="ph b">Explanation </STRONG> A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number from the SYN that opened the embryonic connection. <U>This may indicate that SYNs are being spoofed.</U> This message occurs in Release 7.0.4.1 and later.</P> <P class="p">Is it just the one device (10.245.xx.1x) or multiple devices generating these alerts?</P> <P class="p">I would physically find the device(s) that is generating these events and see if its a rogue device or there is an issue with it and if needs be remove it from the network.</P> </SECTION> Fri, 05 Apr 2024 18:01:57 GMT https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057541#M1110656 Rob Ingram 2024-04-05T18:01:57Z https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057581#M1110661 <P>Dear its coming from multiple devices , i thin whenever there is client connected to wifi office it keep sending these kind of waring massages from them to our syslog system not only one device and once all these client disconnected from the wifi office network this massage disappeared</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 05 Apr 2024 18:28:12 GMT https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5057581#M1110661 amralrazzaz 2024-04-05T18:28:12Z https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5058343#M1110678 <P>Can show me how to shun the IP addresses which appears on logsys and what does shun do to that ip , is it blocking that ip totally from accessing the network or just block the huge traffic coming from that device ! because i have more devices with same massages coming from them!</P> Sat, 06 Apr 2024 12:02:21 GMT https://community.cisco.com/t5/network-security/ftd-duplicate-tcp-syn-from-inside-to-outside-with-different/m-p/5058343#M1110678 amralrazzaz 2024-04-06T12:02:21Z