Hi,
I'm getting dupplicate syn from our Firepower FTD. The setup is that VPN clients connect via outside (Internet) to access internal stuff. The VPN Clients get an IP from pool 10.1.1.x (for example) to access internal 10.2.2.x.
Internet also needs to be routed to the tunnel that a transparent proxy is able to check the surfing, so the default route also needs to be routed for the client VPN.
The routing on FTD is as following:

Gateway of last resort is 3.3.3.30 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0
[1/0] via 3.3.3.30, int-outside
V        10.1.1.1 255.255.255.255
           connected by VPN (advertised), int-outside
V        10.1.1.2 255.255.255.255
           connected by VPN (advertised), int-outside
S        10.1.1.0 255.255.255.0 [1/0] is directly connected, Null0
S        0.0.0.0 0.0.0.0 [255/0] via 4.4.4.99, int-inside tunneled

Hundreds of users generate this dup syn in syslog that FTD thinks it's a syn attack:

%FTD-4-419002: Duplicate TCP SYN from int-outside:10.1.1.2/54931 to int-inside:10.2.2.1/443 with different initial sequence number
%FTD-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 83 per second, max configured rate is 10; Current average rate is 191 per second, max configured rate is 5; Cumulative total count is 115037
%FTD-4-733100: [ SYN attack] drop rate-1 exceeded. Current burst rate is 71 per second, max configured rate is 200; Current average rate is 162 per second, max configured rate is 100; Cumulative total count is 97341
%FTD-4-419002: Duplicate TCP SYN from int-outside:10.1.1.1/54462 to int-inside:10.2.2.2/443 with different initial sequence number

So I tried to use this null route to avoid creating dupplicate syn:

S 10.1.1.0 255.255.255.0 [1/0] is directly connected, Null0

but it doesn't help.
Do you have an idea how to solve this issue?