cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1108
Views
0
Helpful
2
Replies

different initial sequence no.

suthomas1
Frequent Contributor
Frequent Contributor

an asa housing a business application server sends out given syslogs quite often.

419002: Duplicate TCP SYN from LOCAL:10.1.1.75/43415 to MILZONE:10.2.90.26/443 with different initial sequence number


this asa is on version 7.0(6) , cisco says it is common in these rel.

is there anything that ought to be inspected in view of this message. or to identify why it is throwing these messages.

TIA.

2 REPLIES 2

Namit Agarwal
Cisco Employee
Cisco Employee

Hi ,

The explanation for this log message is that a duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed. Someone might be spoofing IP addresses.

Thanks,

Namit

if that is so, this LOCAL:10.1.1.75 ip belongs to interface of primary firewall before requests reach this server.

how should spoofing be checked if so.

thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: