topic Duplicate TCP SYN on ASA Firewall for LPD service in Network Security https://community.cisco.com/t5/network-security/duplicate-tcp-syn-on-asa-firewall-for-lpd-service/m-p/2381115#M308144 <P>Hello<SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P></P><P>On my ASA Firewall I noticed in logs the following warnings:</P><P></P><P>4&nbsp;&nbsp;&nbsp; Nov 28 2013&nbsp;&nbsp;&nbsp; 11:31:13&nbsp;&nbsp;&nbsp; 419002&nbsp;&nbsp;&nbsp; 10.0.0.1&nbsp;&nbsp;&nbsp; 731&nbsp;&nbsp;&nbsp; 20.0.0.1&nbsp;&nbsp;&nbsp; 515&nbsp;&nbsp;&nbsp; Duplicate TCP SYN from WAN:10.0.0.1/731 to DMZ:20.0.0.1/515 with different initial sequence number</P><P></P><P>6&nbsp;&nbsp;&nbsp; Nov 28 2013&nbsp;&nbsp;&nbsp; 11:34:26&nbsp;&nbsp;&nbsp; 106015&nbsp;&nbsp; 10.0.0.1&nbsp;&nbsp;&nbsp;&nbsp; 724&nbsp;&nbsp; 20.0.0.1&nbsp;&nbsp;&nbsp;&nbsp; 515&nbsp;&nbsp;&nbsp; Deny TCP (no connection) from 10.0.0.1/724 to 20.0.0.1/515 flags FIN ACK&nbsp; on interface WAN</P><P></P><P>I created the service policy</P><P></P><P> class-map WAN-class</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; match port tcp eq lpd</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; policy-map WAN-policy</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; class WAN-class</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set connection conn-max 0 embryonic-conn-max 0 per-client-max 0 per-client-embryonic-max 0 <STRONG style="color: #000000; ">random-sequence-number disable</STRONG></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; service-policy WAN-policy interface WAN</P><P></P><P></P><P>After apply the map I didn't get any duplicate TCP SYN..... but after a couple of hours they had appered. </P><P></P><P>How to overcome that kind of situation?</P><P></P><P>Kind Regards</P><P>vMario</P> Tue, 12 Mar 2019 03:10:32 GMT yachooo79 2019-03-12T03:10:32Z Duplicate TCP SYN on ASA Firewall for LPD service https://community.cisco.com/t5/network-security/duplicate-tcp-syn-on-asa-firewall-for-lpd-service/m-p/2381115#M308144 <P>Hello<SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P></P><P>On my ASA Firewall I noticed in logs the following warnings:</P><P></P><P>4&nbsp;&nbsp;&nbsp; Nov 28 2013&nbsp;&nbsp;&nbsp; 11:31:13&nbsp;&nbsp;&nbsp; 419002&nbsp;&nbsp;&nbsp; 10.0.0.1&nbsp;&nbsp;&nbsp; 731&nbsp;&nbsp;&nbsp; 20.0.0.1&nbsp;&nbsp;&nbsp; 515&nbsp;&nbsp;&nbsp; Duplicate TCP SYN from WAN:10.0.0.1/731 to DMZ:20.0.0.1/515 with different initial sequence number</P><P></P><P>6&nbsp;&nbsp;&nbsp; Nov 28 2013&nbsp;&nbsp;&nbsp; 11:34:26&nbsp;&nbsp;&nbsp; 106015&nbsp;&nbsp; 10.0.0.1&nbsp;&nbsp;&nbsp;&nbsp; 724&nbsp;&nbsp; 20.0.0.1&nbsp;&nbsp;&nbsp;&nbsp; 515&nbsp;&nbsp;&nbsp; Deny TCP (no connection) from 10.0.0.1/724 to 20.0.0.1/515 flags FIN ACK&nbsp; on interface WAN</P><P></P><P>I created the service policy</P><P></P><P> class-map WAN-class</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; match port tcp eq lpd</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; policy-map WAN-policy</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; class WAN-class</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set connection conn-max 0 embryonic-conn-max 0 per-client-max 0 per-client-embryonic-max 0 <STRONG style="color: #000000; ">random-sequence-number disable</STRONG></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; service-policy WAN-policy interface WAN</P><P></P><P></P><P>After apply the map I didn't get any duplicate TCP SYN..... but after a couple of hours they had appered. </P><P></P><P>How to overcome that kind of situation?</P><P></P><P>Kind Regards</P><P>vMario</P> Tue, 12 Mar 2019 03:10:32 GMT https://community.cisco.com/t5/network-security/duplicate-tcp-syn-on-asa-firewall-for-lpd-service/m-p/2381115#M308144 yachooo79 2019-03-12T03:10:32Z Duplicate TCP SYN on ASA Firewall for LPD service https://community.cisco.com/t5/network-security/duplicate-tcp-syn-on-asa-firewall-for-lpd-service/m-p/2381116#M308145 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Have you identified what machine is sending these SYN packets (ip 10.0.0.1)?&nbsp; I have heard of some applications trying to initiate several connections at a time.&nbsp; Have you introduced any new machines/PC to the network recently?&nbsp; How long have you been seeing these messages?</P><P></P><P>I would first of all protect your network against SYN flood attacks as your network is currently wide open, given the configuration you posted.&nbsp; The following config will help minimize your exposure to a SYN flood attack.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">policy-map WAN-policy</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">class WAN-class</P><P style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">set connection conn-max 100</P><P style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">set connection embryonic-conn-max 200</P><P style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">set connection per-client-embryonic-max 7</P><P style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">set connection per-client-max 5</P><P style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">set connection random-sequence-number enable</P><P style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">set connection timeout embryonic 0:0:45</P><P></P><P style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">The below link goes more in depth on attack mitigation and might be worth you reading.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml</A></P><P></P><P>--</P><P>Please rate all helpful posts</P></BODY></HTML> Thu, 28 Nov 2013 18:49:17 GMT https://community.cisco.com/t5/network-security/duplicate-tcp-syn-on-asa-firewall-for-lpd-service/m-p/2381116#M308145 Marius Gunnerud 2013-11-28T18:49:17Z