cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6788
Views
0
Helpful
7
Replies

Duplicate TCP SYN

Spagsterj
Level 1
Level 1

Hello, I'm having an issue allowing legitimate network traffic out. My ASA logs are filling up with:

%ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.41/xxxx to outside:172.16.1.215/xxxx with different initial sequence number

The traffic is known and good traffic. TCP-bypass did not appear to resolve this issue.

Are there any other workarounds or suggestions?

Thanks in advance,

James

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Is the destination address some VPN Client Pool?

Can you share your ASA configuration also?

- Jouni

No, the destination address is a public server. However, the client 192.168.1.41 is contacting 172.16.1.215 using a VPN client. Communication between these two hosts pairs is wide open.

Hi,

Are you saying that 192.168.1.41 is a VPN Client user IP and 172.16.1.215 IP is some server?

If this is the case then its pretty wierd considering the log messages states that the 192.168.1.41 is behind "inside" and 172.16.1.215 is behind "outside"

Or are we perhaps talking about a connection attempt through a L2L VPN and not Client VPN? I mean a connection between 2 LANs connected by Site to Site VPN.

- Jouni

Yes, 192.168.1.41 is the client/PC on the inside and 172.16.1.215 is a server on another network, which is accessable via the outside interface.  192.168.1.41 is attempting to connect using it's VPN client to 172.16.1.215.

The VPN client or server is not Cisco - I did get it to work by writing a tcp-bypass policy, however I still beleive it should work without having to write the tcp-bypass policy.

Thanks!

Hello,

Perfom a capture on the inside interface of the ASA matching this traffic, then create one to check the ASP drops...

capture capin interface inside match tcp host 192.168.1.41 host 172.16.1.215

cap asp type asp-drop all circular-buffer

Then without the TCP-state-bypass in place attemtp to connect ( just one connection) and share the following

show cap capin

show cap asp | include 172.16.1.215

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Here is the packet capture. TCP-bypass was turned-off.

ASA(config)# show cap capin

3 packets captured

   1: 10:45:36.372569 802.1Q vlan#10 P0 192.168.1.41.1194 > 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535

   2: 10:45:39.372402 802.1Q vlan#10 P0 192.168.1.41.1194 > 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535

   3: 10:45:42.572297 802.1Q vlan#10 P0 192.168.1.41.1194 > 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535

3 packets shown

ASA(config)# show cap asp | include 172.16.1.215

Hello,

In this case we only see the SYN packets, no SYN-ACK..

The ASA does not seem to be dropping it as you do not have those packets on the ASP capture...

Is there a way you could run a capture on the server side ( if there is an ASA run it there) or on the server itself to make sure he is receiving the SYN packets,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: