Duplicate TCP SYN

Spagsterj · ‎12-12-2012

Hello, I'm having an issue allowing legitimate network traffic out. My ASA logs are filling up with:

%ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.41/xxxx to outside:172.16.1.215/xxxx with different initial sequence number

The traffic is known and good traffic. TCP-bypass did not appear to resolve this issue.

Are there any other workarounds or suggestions?

Thanks in advance,

James

Jouni Forss · ‎12-12-2012

Hi,

Is the destination address some VPN Client Pool?

Can you share your ASA configuration also?

- Jouni

Spagsterj · ‎12-12-2012

No, the destination address is a public server. However, the client 192.168.1.41 is contacting 172.16.1.215 using a VPN client. Communication between these two hosts pairs is wide open.

Jouni Forss · ‎12-13-2012

Hi,

Are you saying that 192.168.1.41 is a VPN Client user IP and 172.16.1.215 IP is some server?

If this is the case then its pretty wierd considering the log messages states that the 192.168.1.41 is behind "inside" and 172.16.1.215 is behind "outside"

Or are we perhaps talking about a connection attempt through a L2L VPN and not Client VPN? I mean a connection between 2 LANs connected by Site to Site VPN.

- Jouni

Spagsterj · ‎12-13-2012

Yes, 192.168.1.41 is the client/PC on the inside and 172.16.1.215 is a server on another network, which is accessable via the outside interface. 192.168.1.41 is attempting to connect using it's VPN client to 172.16.1.215.

The VPN client or server is not Cisco - I did get it to work by writing a tcp-bypass policy, however I still beleive it should work without having to write the tcp-bypass policy.

Thanks!

Julio Carvajal · ‎12-13-2012

Hello,

Perfom a capture on the inside interface of the ASA matching this traffic, then create one to check the ASP drops...

capture capin interface inside match tcp host 192.168.1.41 host 172.16.1.215

cap asp type asp-drop all circular-buffer

Then without the TCP-state-bypass in place attemtp to connect ( just one connection) and share the following

show cap capin

show cap asp | include 172.16.1.215

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Spagsterj · ‎12-14-2012

Here is the packet capture. TCP-bypass was turned-off.

ASA(config)# show cap capin

3 packets captured

1: 10:45:36.372569 802.1Q vlan#10 P0 192.168.1.41.1194 > 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535

2: 10:45:39.372402 802.1Q vlan#10 P0 192.168.1.41.1194 > 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535

3: 10:45:42.572297 802.1Q vlan#10 P0 192.168.1.41.1194 > 172.16.1.215.1194: S 2130111956:2130111956(0) win 65535

3 packets shown

ASA(config)# show cap asp | include 172.16.1.215

Julio Carvajal · ‎12-14-2012

Hello,

In this case we only see the SYN packets, no SYN-ACK..

The ASA does not seem to be dropping it as you do not have those packets on the ASP capture...

Is there a way you could run a capture on the server side ( if there is an ASA run it there) or on the server itself to make sure he is receiving the SYN packets,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC