Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1244
Views
5
Helpful
3
Replies

ASA - duplicate TCP SYN syslog 419002

zrunner626
Level 1
Level 1

‎01-06-2023 06:45 AM

I am seeing a large number of duplicate TCP SYN errors on our ASA and FTD. The majority are for the VPN subnet to a Private IP such as 10.0.0.x that does not exist on our network. Seems to me that it could be the local subnet of the VPN client that is getting routed through the VPN possibly... We do split tunneling and send the private IPs toward the ASA and all other straight to the internet.

I tried creating a null route for the 10.0.0.x subnet but we continue to see the error. I came across one article that suggested turning off TCP Randomization for the VPN subnet. Assuming this would be safe since it's tunneled traffic and not NATed traffic.

Would welcome any other suggestions or thoughts.

3 Replies 3

Marius Gunnerud
VIP
VIP

‎01-07-2023 01:23 PM

How did you try to exclude the local networks?  Did you add a deny 0.0.0.0/32 statement in the split-tunnel ACL?  If not, do this and make sure that "allow local LAN access" is checked in the AnyConnect VPN client.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

zrunner626
Level 1
Level 1
In response to Marius Gunnerud

‎01-10-2023 06:55 AM

Hi Marius, Thanks for the response. I was blocking the local networks I was seeing from the inside interface of the ASA. I don't think the 0.0.0.0/32 would work as we are sending all 10.0.0.0/8 traffic through VPN so even if 10.0.0.x/24 is unused for example the traffic is still getting sent thorugh the tunnel. After confirming that the syslog was indeed a message displayed after the packet was dropped I ended up just disabling logging for that syslog ID.

Thanks

0 Helpful

Marius Gunnerud
VIP
VIP
In response to zrunner626

‎01-10-2023 07:25 AM

OK fair enough.  Just so you know, 0.0.0.0/32 specifies the local network that the AnyConnect client is connected to so by denying this in your split tunnel ACL all traffic to the local LAN will not pass through the AnyConnect tunnel.  That being said, if the local LAN where an AnyConnect client is connected to has an overlapping subnet with your office, this office network would not be available to that AnyConnect client.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card