Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
148880
Views
141
Helpful
15
Replies

Duplicate TCP SYN log entries

Johnny Flanagan
Level 1
Level 1

‎07-19-2012 12:44 PM - edited ‎02-21-2020 04:41 AM

I have an appliance capturing syslog information from my ASA5520. I am seeing a TON of entries for ASA-4-419002: Duplicate TCP SYN from inside:XXX.XXX.XXX.XXX/##### to inside:YYY.YYY.YYY.YYY/44487 with different initial, with the first IP address logged with several different ports, and the second IP address as the exact same IP/port every time. This happens across a few other FROM addresses as well, with each of them pointing to a single IP/port pair.

What I want to know: How do I get rid of these? Is this indicative of some sort of spoofing or attack? Should I be concerned about some sort of malware on the inside, or is the firewall catching some sort of SYN attack originating from outside? Or is it just something I should ignore as the ASA is doing it's job?

11 people had this problem
0 Helpful
15 Replies 15

kylemiller452225788
Level 1
Level 1

‎08-28-2020 06:33 AM

I agree with  Royal Frazier.  Once someone disconnects from a Cisco Anyconnect VPN the firewall doesnt know where to send the traffic and creates a nasty loop.  My CPU utilizated went up to almost 90%.  To solve I simply put in a route for the Anyconnnect VPN pool network to got to the loopback interface.

route (interface) ( Cisco Anyconnect pool) (Cisco Anyconnect Subnet Mask) (loopback interface)

route inside 10.60.0.0 255.255.255.0 127.0.0.1

 

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card