Hello, I'm having an issue allowing legitimate network traffic out. My ASA logs are filling up with:
%ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.41/xxxx to outside:172.16.1.215/xxxx with different initial sequence number
The traffic is known and good traffic. TCP-bypass did not appear to resolve this issue.
Are there any other workarounds or suggestions?
Thanks in advance,
Are you saying that 192.168.1.41 is a VPN Client user IP and 172.16.1.215 IP is some server?
If this is the case then its pretty wierd considering the log messages states that the 192.168.1.41 is behind "inside" and 172.16.1.215 is behind "outside"
Or are we perhaps talking about a connection attempt through a L2L VPN and not Client VPN? I mean a connection between 2 LANs connected by Site to Site VPN.
Yes, 192.168.1.41 is the client/PC on the inside and 172.16.1.215 is a server on another network, which is accessable via the outside interface. 192.168.1.41 is attempting to connect using it's VPN client to 172.16.1.215.
The VPN client or server is not Cisco - I did get it to work by writing a tcp-bypass policy, however I still beleive it should work without having to write the tcp-bypass policy.
Perfom a capture on the inside interface of the ASA matching this traffic, then create one to check the ASP drops...
capture capin interface inside match tcp host 192.168.1.41 host 172.16.1.215
cap asp type asp-drop all circular-buffer
Then without the TCP-state-bypass in place attemtp to connect ( just one connection) and share the following
show cap capin
show cap asp | include 172.16.1.215
Here is the packet capture. TCP-bypass was turned-off.
ASA(config)# show cap capin
3 packets captured
1: 10:45:36.372569 802.1Q vlan#10 P0 192.168.1.41.1194 > 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535
2: 10:45:39.372402 802.1Q vlan#10 P0 192.168.1.41.1194 > 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535
3: 10:45:42.572297 802.1Q vlan#10 P0 192.168.1.41.1194 > 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535
3 packets shown
ASA(config)# show cap asp | include 172.16.1.215
In this case we only see the SYN packets, no SYN-ACK..
The ASA does not seem to be dropping it as you do not have those packets on the ASP capture...
Is there a way you could run a capture on the server side ( if there is an ASA run it there) or on the server itself to make sure he is receiving the SYN packets,