Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2991
Views
0
Helpful
4
Replies

Anyconnect VPN user generating ASA-4-419002 errors in log

Jeffrey Warn
Level 1
Level 1

‎07-21-2011 10:44 AM - edited ‎03-11-2019 02:01 PM

Consistently I see similar errors like this in my logs. The src address is actually my SCCM server (policy server) and the dst address is a remote VPN user who connects with the AnyConnect client.

%ASA-4-419002: Duplicate TCP SYN from inside:10.2.152.69/2974 to inside:10.2.252.230/139 with different initial sequence number

%ASA-4-419002: Duplicate TCP SYN from inside:10.2.152.69/2973 to inside:10.2.252.230/445 with different initial sequence number

I'd like to try and clean up these errors if possible. Any ideas on what can be done to try and see what the cause of these are?

Thanks

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Parminder Sian
Level 1
Level 1

‎07-24-2011 10:41 PM

Hi Jeffery,

This syslog is indicative of an IP being spoofed, since it is receving a
duplicate TCP SYN packet from another source. A duplicate TCP SYN was
received during the three-way-handshake that has a different initial
sequence number than the SYN that opened the embryonic connection. This
could indicate that SYNs are being spoofed.

The firewall is doing its bit by dropping these duplicate packets and that's
why you are seeing these error messages generated.

I would like to suggest you to troubleshoot the host to determine the reason
why it is sending duplicates or if that is spoofed by other computer coming
from another MAC address.

Regards,
Sian
0 Helpful

tom.bakry
Level 1
Level 1

‎03-20-2012 05:58 AM


Hi Jeffrey,

I have the same issue.  We squelched the SCCM server to limit its efforts, just to stop the pain, but, we don't have any answer yet.  Did you discover why SCCM is giving up and moving on to a new TCP sequence number?  I would like to address the root cause on this issue instead of the symptom.  I have just begun my research, so, if I encounter anything useful, I will be sure to post it here.  Unless someone else beats me to it!

Cheers,

Tom

0 Helpful

burnettg_98
Level 1
Level 1
In response to tom.bakry

‎07-17-2013 11:41 AM

Did you ever find out why the SCCM server was doing this?  I'm having the same issues.

Thanks

0 Helpful

tom.bakry
Level 1
Level 1
In response to burnettg_98

‎07-17-2013 11:49 AM

Sadly, no, I never received any reply on this thread and my available time to research the issue was limited.  I am certainly interested in learning if anyone discovers the root cause or how to eliminate the trouble.

Tom

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card