Re: ASA v.9.10 Upgrade Issue

roysm · ‎02-26-2019

Hi

I attempted an upgrade of a ASA 5585-X cluster from v.9.1(2) to 9.10(1). The actual upgrade was fine but then we noticed that a large number of servers behind the firewall could not be accessed. This seemed to be intermittent, as some were ok others were not, even if they were on the same vlan.

Unfortunately, I could not do much troubleshooting, as this affected some key services, so I had to back out and reboot the cluster on v.9.1(2). As soon as we downgraded, performance was immediately back to normal.

However, looking through our syslogs, I noticed that during the affected period, I have a large number, i.e. at least 500 per minute, of "%ASA-4-419002: Duplicate TCP SYN". During normal operations, before and since the upgrade, I do not see any of these messages.

I'm still researching this but a lot of articles about this error mention spoofing, possible attacks or a routing problem. The cluster is our DMZ firewall, so has internal connections only. If I had some dodgy device on our network or we had a routing issue, surely I would see these messages all the time but I don't.

Has anyone upgraded to v.9.10 yet? Has anyone seen this issue with an upgrade?

Thanks

Roy

patoberli · ‎03-25-2019

Haven't upgraded to that release, but it sounds like a bug. I guess there was an issue with the cluster functionality.
There are some updates since 9.10(1) out: https://software.cisco.com/download/home/283123066/type/280775065/release/9.10.1%20Interim
Release notes: https://www.cisco.com/web/software/280775065/144339/ASA-9101-Interim-Release-Notes.html

Josiane de Barros Silva · ‎04-01-2019

Hi roysm

it can be just a packet generator, not even a machine with that IP address.
The source and destination interface are the same and this is the default that has security level 100.
I could check and if you need to send in private, please.

Best Regards,

Josiane

Twitter :@securegirlninja