You have a few options - you

valerioplessi · ‎06-06-2017

Hello!

Due to a software appliance that is sitting behind my ASA, my logs are flooded with this kind of messages:

Duplicate TCP SYN from Public DMZ: 206.81.189.10/58640 to Outside: 52.84.27.22/80 with different initial sequence number

This is a legitimate behavior for the appliance: it is installed in my network, and it's generating probes to build a hop by hop path to a target, similarly to a traceroute.

Now, the issue is that due to these many logs about duplicate TCP SYN's, I might overlook important stuff that would go lost in the ocean of logs.

QUESTION: is it possible to whitelist the source IP that generates the duplicate TCP SYN so to avoid getting logged? Or can the logging engine be tuned to skip those logs getting tracked?

Please note that I am not looking to block the traffic generating the duplicate TCP SYN's because is legitimate, but just avoid logging them since they are too many and flooding my logs.

Here is my hw/sw config for the ASA:

Cisco Adaptive Security Appliance Software Version 9.4(3)12

Device Manager Version 7.7(1)

Hardware: ASA5525

Thanks!

valerioplessi · ‎06-08-2017

Any feedback from anyone?

Thanks.

Nathan Gagne · ‎06-13-2017

You have a few options - you can disable TCP sequence randomization based on an ACL match; or you can not log any of those messages. The latter will disable the messages altogether, not just for a specific IP, while the former will still log packets that don't hit the ACL.

valerioplessi · ‎06-14-2017

Thanks, let me see if I can implement those!

Can ASA avoid logging duplicate TCP SYN's logs from specific source IP?