Re: ASA 5540 duplicate TCP SYN from inside

cisabucho · ‎12-14-2010

Dear,

I keep getting the following warning from the ASA ASDM syslog

Duplicate TCP SYN from inside:192.xx.xx.xx/63993 to outside:xx.xx.xx.xx/25 with different initial sequence number. The client in question sitting on the inside of the ASA is trying to access the mail server outside of our network. Currently the mail server is not responding to smtp requests from our network. Is the log message something to worry about?

regards,

Abebe Amare

sjhamb · ‎12-14-2010

I guess this should be ok. Since mail server is not responding and client is trying to reconnect again but with different initial seq before the existing open connection is torn down in ASA. What are the timestamps?

http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html?bcsi_scan_73B62AB387D5D02C=0&bcsi_scan_filename=logmsgs.html#wp3456474

Explanation A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed. This message occurs in Release 7.0.4.1 and later.

in_interface—The input interface.

src_address—The source IP address of the packet.

src_port—The source port of the packet.

out_interface—The output interface.

dest_address—The destination IP address of the packet.

dest_port—The destination port of the packet.

Recommended Action No action required.

Thanks,

SJ

cisabucho · ‎12-14-2010

Hi SJ,

I have attached the output of the ASDM log in a text file (I couldn't copy-paste directly here).

best regards,

Abebe A.