Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1919
Views
0
Helpful
2
Replies

ASA v.9.10 Upgrade Issue

roysm
Level 1
Level 1

‎02-26-2019 01:52 AM - edited ‎02-21-2020 08:51 AM

Hi

 

I attempted an upgrade of a ASA 5585-X cluster from v.9.1(2) to 9.10(1). The actual upgrade was fine but then we noticed that a large number of servers behind the firewall could not be accessed. This seemed to be intermittent, as some were ok others were not, even if they were on the same vlan.

 

Unfortunately, I could not do much troubleshooting, as this affected some key services, so I had to back out and reboot the cluster on v.9.1(2). As soon as we downgraded, performance was immediately back to normal.

 

However, looking through our syslogs, I noticed that during the affected period, I have a large number, i.e. at least 500 per minute, of "%ASA-4-419002: Duplicate TCP SYN". During normal operations, before and since the upgrade, I do not see any of these messages. 

 

I'm still researching this but a lot of articles about this error mention spoofing, possible attacks or a routing problem. The cluster is our DMZ firewall, so has internal connections only. If I had some dodgy device on our network or we had a routing issue, surely I would see these messages all the time but I don't. 

 

Has anyone upgraded to v.9.10 yet? Has anyone seen this issue with an upgrade? 

 

Thanks

Roy

0 Helpful
2 Replies 2

patoberli
VIP Alumni
VIP Alumni

‎03-25-2019 07:44 AM

Haven't upgraded to that release, but it sounds like a bug. I guess there was an issue with the cluster functionality.
There are some updates since 9.10(1) out: https://software.cisco.com/download/home/283123066/type/280775065/release/9.10.1%20Interim
Release notes: https://www.cisco.com/web/software/280775065/144339/ASA-9101-Interim-Release-Notes.html
0 Helpful

Josiane de Barros Silva
Level 1
Level 1

‎04-01-2019 06:42 PM

Hi roysm


it can be just a packet generator, not even a machine with that IP address.
The source and destination interface are the same and this is the default that has security level 100.
I could check and if you need to send in private, please.

 

Best Regards,

Josiane

Twitter :@securegirlninja

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card