topic Re: dupplicate tcp syn anyconnect in Network Security

dupplicate tcp syn anyconnect

D Le Wando — Tue, 20 Aug 2024 11:23:30 GMT

Hi,
I'm getting dupplicate syn from our Firepower FTD. The setup is that VPN clients connect via outside (Internet) to access internal stuff. The VPN Clients get an IP from pool 10.1.1.x (for example) to access internal 10.2.2.x.
Internet also needs to be routed to the tunnel that a transparent proxy is able to check the surfing, so the default route also needs to be routed for the client VPN.
The routing on FTD is as following:

Gateway of last resort is 3.3.3.30 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 3.3.3.30, int-outside V 10.1.1.1 255.255.255.255 connected by VPN (advertised), int-outside V 10.1.1.2 255.255.255.255 connected by VPN (advertised), int-outside S 10.1.1.0 255.255.255.0 [1/0] is directly connected, Null0 S 0.0.0.0 0.0.0.0 [255/0] via 4.4.4.99, int-inside tunneled

Hundreds of users generate this dup syn in syslog that FTD thinks it's a syn attack:

%FTD-4-419002: Duplicate TCP SYN from int-outside:10.1.1.2/54931 to int-inside:10.2.2.1/443 with different initial sequence number %FTD-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 83 per second, max configured rate is 10; Current average rate is 191 per second, max configured rate is 5; Cumulative total count is 115037 %FTD-4-733100: [ SYN attack] drop rate-1 exceeded. Current burst rate is 71 per second, max configured rate is 200; Current average rate is 162 per second, max configured rate is 100; Cumulative total count is 97341 %FTD-4-419002: Duplicate TCP SYN from int-outside:10.1.1.1/54462 to int-inside:10.2.2.2/443 with different initial sequence number

So I tried to use this null route to avoid creating dupplicate syn:

S 10.1.1.0 255.255.255.0 [1/0] is directly connected, Null0

but it doesn't help.
Do you have an idea how to solve this issue?

Re: dupplicate tcp syn anyconnect

MHM Cisco World — Tue, 20 Aug 2024 11:33:18 GMT

Sure issue is this defualt route tunneled' remove it and config static route for 10.2.2.x (internal route)

S        0.0.0.0 0.0.0.0 [255/0] via 4.4.4.99, int-inside tunneled

And issue will solved.

MHM

Re: dupplicate tcp syn anyconnect

D Le Wando — Tue, 20 Aug 2024 12:59:43 GMT

the problem is, that internet is also used by client VPN through tunnel. So all official IPs need to be routed to internal (which goes to transparent proxy)

Re: dupplicate tcp syn anyconnect

MHM Cisco World — Wed, 21 Aug 2024 07:11:02 GMT

the problem is, that internet is also used by client VPN through tunnel. So all official IPs need to be routed to internal (which goes to transparent proxy) <<- then it return to FTD to forward to internet ?
MHM

Re: dupplicate tcp syn anyconnect

D Le Wando — Wed, 21 Aug 2024 06:54:04 GMT

Scenario 1 Internet access:
Anyconnect Client - Internet - FTD - Transp.Proxy - Internet

Scenario 2 access to internal:
Anyconnect Client - Internet - FTD - internal

Re: dupplicate tcp syn anyconnect

MHM Cisco World — Wed, 21 Aug 2024 07:14:03 GMT

Scenario 2 access to internal:
Anyconnect Client - Internet - FTD - internal <<- this scenario if you add static route to 10.2.2.x instead of default route tunneled I think there is no problem at all

Scenario 1 Internet access:
Anyconnect Client - Internet - FTD - Transp.Proxy - Internet<<- how transp proxy connect to internet via FTD' i.e. the traffic retrun to FTD to access internet ?

MHM

Re: dupplicate tcp syn anyconnect

D Le Wando — Wed, 21 Aug 2024 07:22:00 GMT

Scenario 1 Internet access:
Anyconnect Client - Internet - FTD - Transp.Proxy - Internet<<- how transp proxy connect to internet via FTD' i.e. the traffic retrun to FTD to access internet ?
--> No. The Transp.Proxy has it's own Internet access

Re: dupplicate tcp syn anyconnect

Marius Gunnerud — Thu, 22 Aug 2024 06:17:19 GMT

Does the proxy have a public IP configured directly on an interface or is it an IP NAT'ed through the FTD?

Or perhaps is the proxy just a "bump in the wire" meaning just forwarding traffic without changing source or destination IP?

I think the issue might be the second scenario.

The traffic from AnyConnect reaches the FTD and the FTD creates a connection for this session and sends the traffic to the proxy server.
proxy server inspects traffic and forwards the traffic back to the FTD without changing any source IPs
FTD sees a second connection attempt with the same source and destination IP and flags as duplicate syn.

Solutions to this would be to have the proxy perform NAT for the source addresses, or install another internet gateway firewall / virtual firewall / context / multi instance / whatever.

Re: dupplicate tcp syn anyconnect

MHM Cisco World — Thu, 22 Aug 2024 10:08:11 GMT

FTD: How to enable TCP State Bypass Configuration using FlexConfig Policy - Cisco

If the egress different than ingress then try use tcp bypass for traffic from VPN Pool to ANY <<- dont config it ANY to ANY

MHM

Re: dupplicate tcp syn anyconnect

Marius Gunnerud — Thu, 22 Aug 2024 10:24:23 GMT

TCP bypass should be a last resort, and I would suggest not using it. The issue is most likely that the proxy is just inspecting traffic and passing it back to the FTD. Solve that issue rather than using TCP bypass in my opinion.

Re: dupplicate tcp syn anyconnect

MHM Cisco World — Thu, 22 Aug 2024 11:02:46 GMT

He have duplicate Sny so this appear when there is asymmetric routing and he confirm that.

Thanks

MHM

Re: dupplicate tcp syn anyconnect

D Le Wando — Fri, 23 Aug 2024 07:59:20 GMT

In real, there are 2 FTDs:
Scenario 1 Internet access:
Anyconnect Client - Internet - FTD1 (used for anyconnect) - FTD2 (used for firewalling) - Transp.Proxy - Internet

So the 2nd FTD also see the dup syn which were created by the 1st FTD:
FTD2: Duplicate TCP SYN from int-from-FTD1:10.1.1.1/54131 to int-to-transparent-proxy:193.99.144.85/443 with different initial sequence number

1st time I thought that it's dropped by ASP, but it's not. It seems that all this dup syn are forwarded to next hop 😞

Btw, there's no NAT by FTD2 (to answer the question from @Marius Gunnerud )
The real technique of transparent proxy is not known by me, but I think it doesn't matter to the dup dync issue, because the issue is created by FTD1

Re: dupplicate tcp syn anyconnect

ccieexpert — Mon, 26 Aug 2024 01:53:18 GMT

if this is easily reproducible, then you should take packet captures with trace detail option.. also provide logs of the initial connection and duplicate one.

there is a option include-decrypted.. use that for the outside interface... I feel like there is a potential loop or your last diagram is not accurate... when it goes to the internet which firewall is doing the NATing ?

Re: dupplicate tcp syn anyconnect

D Le Wando — Mon, 26 Aug 2024 09:54:25 GMT

Thx for the capture hint. Now I see that NOT all packets are duplicated. I tried with my own client and see NO dup. So it seems that there's something special that causes dup packets ... I will troubleshoot this deeper...
BTW, the NAT is done from transparent Proxy or behind. There's no NAT on FTD1/FTD2

Re: dupplicate tcp syn anyconnect

D Le Wando — Mon, 26 Aug 2024 15:08:53 GMT

I picked 1 syslog message "%FTD-4-419002: Duplicate TCP SYN from int-outside:10.x.x.x/56521 to int-inside:10.y.y.y/443 with different initial sequence number"
and checked outside + inside capture. Both captures show me that there's no duplicate packet at all regarding this syslog message. So in real, the FTD1 is NOT creating any additional packet or whatever. All packets which are in the tunnel (from outside) are the same as routed to internal.
So all seems good for me now. It's very annoing that my syslog is flooded with this messages (if severity is set to "warning" instead of "error", but I added a syslog level feature "419002" with 1 message and interval of 1 second now. With this setting, the flooding is stopped now.
Thx to all of you guys for your support!

Re: dupplicate tcp syn anyconnect

MHM Cisco World — Mon, 26 Aug 2024 15:16:04 GMT

Wait and see it will appear again

Update me when you see it again

Note:- you eun two anyconnect when you eun more then issue will be effect cpu and slow your FW.

MHM

Re: dupplicate tcp syn anyconnect

ccieexpert — Mon, 26 Aug 2024 16:02:03 GMT

thanks for the update... i would dig deeper.. if the first syslog and the 5-tuple is different from 2nd syslog with duplicate sync, and you dont see a packet... then open a TAC case... what version are you runnning ? also review captures on both interfaces again to be completely sure there is no duplicate when the syslog comes in...