Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1740
Views
4
Helpful
7
Replies

ASA-4-41900

aeryilmaz
Level 1
Level 1

‎09-01-2011 02:48 PM - edited ‎03-11-2019 02:19 PM

Hi all,

This is one that's come up in the Community before, but none seem to fit my scenario.

I'm getting these errors at regular intervals. The source IPs are from my pair of F5 BigIP LTMs that are directly connected off the DMZ interface.

Sep 01 2011 17:32:04: %ASA-4-419002: Duplicate TCP SYN from dmz:172.250.50.9/57400 to inside:172.250.10.86/80 with different initial sequence number

Sep 01 2011 17:32:43: %ASA-4-419002: Duplicate TCP SYN from dmz:172.250.50.8/46246 to inside:172.250.30.21/25 with different initial sequence number

I am seeing input errors on the switch port connecting the ASA DMZ interface:

    764 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored

I am running EIGRP on the ASA:

router eigrp 10

network 172.250.50.0 255.255.254.0

network 172.250.0.0 255.255.0.0

Any troubleshooting suggestions?

Thanks!

Labels:
0 Helpful
7 Replies 7

Maykol Rojas
Cisco Employee
Cisco Employee

‎09-01-2011 05:29 PM

Hi,

I would first take a look at the source if it is actually sending duplicate TCP SYN's, the ASA will actually drop them since it is just a duplicate packet.

Take a capture or a tcpdump on the source and check if two SYNs are leaving towards the ASA interface.

Mike

Mike

aeryilmaz
Level 1
Level 1
In response to Maykol Rojas

‎09-02-2011 06:39 AM

Thanks, Mike. Will do. Good idea.

0 Helpful

dominic.caron
Level 5
Level 5
In response to aeryilmaz

‎10-31-2011 08:29 AM

How did this turn out? Him having the exact same issue.

0 Helpful

aeryilmaz
Level 1
Level 1
In response to dominic.caron

‎10-31-2011 08:46 AM

I have not yet got to the bottom of this. I ran captures watching traffic from my BigiP and did not see duplicate sequence numbers. So, the alerts appear to be cosmetic, but I have not yet proved that.

Are you running F5 LTMs as well? Those load balancers have a "one-connect" feature that I suspect may be related.

0 Helpful

dominic.caron
Level 5
Level 5
In response to aeryilmaz

‎10-31-2011 10:05 AM

It's not the oneconnect profile, it's disable on my virtual server.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to dominic.caron

‎10-31-2011 03:05 PM

All,

If you take a capture on the incoming interface of the firewall and yet you see the duplicate packets there, it would be a good idea to take a look at a packet capture to see the source mac-addresses and check if they are different. Another good thing to do is to check if the switch is seeing the same mac-address (in this case the ASA one) on two different ports, as the switch will forward the packet on both switchports and hence the ASA will receive it twice.

Just to narrow down what the problem is.

Thanks.

Mike

Mike
0 Helpful

dominic.caron
Level 5
Level 5
In response to aeryilmaz

‎11-11-2011 01:58 PM

Finaly....

The BigIP is re-using source ports too fast in it's default configuration(15-20 ms after initial FIN). You need to time the half-close timeout value in the server, asa and BigIP to the same value.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card