10-12-2010 08:06 PM - edited 03-11-2019 11:53 AM
an asa housing a business application server sends out given syslogs quite often.
419002: Duplicate TCP SYN from LOCAL:10.1.1.75/43415 to MILZONE:10.2.90.26/443 with different initial sequence number
this asa is on version 7.0(6) , cisco says it is common in these rel.
is there anything that ought to be inspected in view of this message. or to identify why it is throwing these messages.
TIA.
10-12-2010 08:42 PM
Hi ,
The explanation for this log message is that a duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed. Someone might be spoofing IP addresses.
Thanks,
Namit
10-12-2010 08:45 PM
if that is so, this LOCAL:10.1.1.75 ip belongs to interface of primary firewall before requests reach this server.
how should spoofing be checked if so.
thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide