https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088854#M394172 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Is the destination address some VPN Client Pool?</P><P></P><P>Can you share your ASA configuration also?</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 12 Dec 2012 22:46:53 GMT Jouni Forss 2012-12-12T22:46:53Z https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088853#M394170 <P>Hello, I'm having an issue allowing legitimate network traffic out. My ASA logs are filling up with: </P><P></P><P>%ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.41/xxxx to outside:172.16.1.215/xxxx with different initial sequence number</P><P></P><P>The traffic is known and good traffic. TCP-bypass did not appear to resolve this issue. </P><P></P><P>Are there any other workarounds or suggestions?</P><P></P><P>Thanks in advance,</P><P></P><P>James </P> Tue, 12 Mar 2019 00:36:39 GMT https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088853#M394170 Spagsterj 2019-03-12T00:36:39Z https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088854#M394172 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Is the destination address some VPN Client Pool?</P><P></P><P>Can you share your ASA configuration also?</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 12 Dec 2012 22:46:53 GMT https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088854#M394172 Jouni Forss 2012-12-12T22:46:53Z https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088855#M394173 <HTML><HEAD></HEAD><BODY><P>No, the destination address is a public server. However, the client 192.168.1.41 is contacting 172.16.1.215 using a VPN client. Communication between these two hosts pairs is wide open. </P></BODY></HTML> Thu, 13 Dec 2012 01:05:19 GMT https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088855#M394173 Spagsterj 2012-12-13T01:05:19Z https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088856#M394174 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Are you saying that 192.168.1.41 is a VPN Client user IP and 172.16.1.215 IP is some server?</P><P></P><P>If this is the case then its pretty wierd considering the log messages states that the 192.168.1.41 is behind "inside" and 172.16.1.215 is behind "outside"</P><P></P><P>Or are we perhaps talking about a connection attempt through a L2L VPN and not Client VPN? I mean a connection between 2 LANs connected by Site to Site VPN.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 13 Dec 2012 10:30:31 GMT https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088856#M394174 Jouni Forss 2012-12-13T10:30:31Z https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088857#M394180 <HTML><HEAD></HEAD><BODY><P>Yes, 192.168.1.41 is the client/PC on the inside and 172.16.1.215 is a server on another network, which is accessable via the outside interface.&nbsp; 192.168.1.41 is attempting to connect using it's VPN client to 172.16.1.215. </P><P></P><P>The VPN client or server is not Cisco - I did get it to work by writing a tcp-bypass policy, however I still beleive it should work without having to write the tcp-bypass policy. </P><P></P><P>Thanks!</P></BODY></HTML> Thu, 13 Dec 2012 13:53:01 GMT https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088857#M394180 Spagsterj 2012-12-13T13:53:01Z https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088858#M394181 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Perfom a capture on the inside interface of the ASA matching this traffic, then create one to check the ASP drops...</P><P></P><P>capture capin interface inside match tcp host 192.168.1.41 host 172.16.1.215 </P><P>cap asp type asp-drop all circular-buffer</P><P></P><P>Then without the TCP-state-bypass in place attemtp to connect ( just one connection) and share the following</P><P></P><P>show cap capin</P><P>show cap asp | include 172.16.1.215</P><P></P><P>Regards</P></BODY></HTML> Thu, 13 Dec 2012 17:05:24 GMT https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088858#M394181 Julio Carvajal 2012-12-13T17:05:24Z https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088859#M394182 <HTML><HEAD></HEAD><BODY><P>Here is the packet capture. TCP-bypass was turned-off.</P><P></P><P>ASA(config)# show cap capin</P><P></P><P>3 packets captured</P><P></P><P>&nbsp;&nbsp; 1: 10:45:36.372569 802.1Q vlan#10 P0 192.168.1.41.1194 &gt; 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535 <MSS 1460=""></MSS></P><P>&nbsp;&nbsp; 2: 10:45:39.372402 802.1Q vlan#10 P0 192.168.1.41.1194 &gt; 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535 <MSS 1460=""></MSS></P><P>&nbsp;&nbsp; 3: 10:45:42.572297 802.1Q vlan#10 P0 192.168.1.41.1194 &gt; 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535 <MSS 1460=""></MSS></P><P>3 packets shown</P><P></P><P></P><P>ASA(config)# show cap asp | include 172.16.1.215</P></BODY></HTML> Fri, 14 Dec 2012 15:57:00 GMT https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088859#M394182 Spagsterj 2012-12-14T15:57:00Z https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088860#M394183 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>In this case we only see the SYN packets, no SYN-ACK..</P><P></P><P>The ASA does not seem to be dropping it as you do not have those packets on the ASP capture...</P><P></P><P></P><P>Is there a way you could run a capture on the server side ( if there is an ASA run it there) or on the server itself to make sure he is receiving the SYN packets,</P><P></P><P>Regards</P></BODY></HTML> Fri, 14 Dec 2012 17:20:15 GMT https://community.cisco.com/t5/network-security/duplicate-tcp-syn/m-p/2088860#M394183 Julio Carvajal 2012-12-14T17:20:15Z