Solved: dupplicate tcp syn anyconnect

D Le Wando · ‎08-20-2024

Hi,
I'm getting dupplicate syn from our Firepower FTD. The setup is that VPN clients connect via outside (Internet) to access internal stuff. The VPN Clients get an IP from pool 10.1.1.x (for example) to access internal 10.2.2.x.
Internet also needs to be routed to the tunnel that a transparent proxy is able to check the surfing, so the default route also needs to be routed for the client VPN.
The routing on FTD is as following:

Gateway of last resort is 3.3.3.30 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0
[1/0] via 3.3.3.30, int-outside
V        10.1.1.1 255.255.255.255
           connected by VPN (advertised), int-outside
V        10.1.1.2 255.255.255.255
           connected by VPN (advertised), int-outside
S        10.1.1.0 255.255.255.0 [1/0] is directly connected, Null0
S        0.0.0.0 0.0.0.0 [255/0] via 4.4.4.99, int-inside tunneled

Hundreds of users generate this dup syn in syslog that FTD thinks it's a syn attack:

%FTD-4-419002: Duplicate TCP SYN from int-outside:10.1.1.2/54931 to int-inside:10.2.2.1/443 with different initial sequence number
%FTD-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 83 per second, max configured rate is 10; Current average rate is 191 per second, max configured rate is 5; Cumulative total count is 115037
%FTD-4-733100: [ SYN attack] drop rate-1 exceeded. Current burst rate is 71 per second, max configured rate is 200; Current average rate is 162 per second, max configured rate is 100; Cumulative total count is 97341
%FTD-4-419002: Duplicate TCP SYN from int-outside:10.1.1.1/54462 to int-inside:10.2.2.2/443 with different initial sequence number

So I tried to use this null route to avoid creating dupplicate syn:

S 10.1.1.0 255.255.255.0 [1/0] is directly connected, Null0

but it doesn't help.
Do you have an idea how to solve this issue?

ccieexpert · ‎08-25-2024

if this is easily reproducible, then you should take packet captures with trace detail option.. also provide logs of the initial connection and duplicate one.

there is a option include-decrypted.. use that for the outside interface... I feel like there is a potential loop or your last diagram is not accurate... when it goes to the internet which firewall is doing the NATing ?

View solution in original post

MHM Cisco World · ‎08-20-2024

Sure issue is this defualt route tunneled' remove it and config static route for 10.2.2.x (internal route)

S        0.0.0.0 0.0.0.0 [255/0] via 4.4.4.99, int-inside tunneled

And issue will solved.

MHM

D Le Wando · ‎08-20-2024

the problem is, that internet is also used by client VPN through tunnel. So all official IPs need to be routed to internal (which goes to transparent proxy)

MHM Cisco World · ‎08-20-2024

the problem is, that internet is also used by client VPN through tunnel. So all official IPs need to be routed to internal (which goes to transparent proxy) <<- then it return to FTD to forward to internet ?
MHM

D Le Wando · ‎08-20-2024

Scenario 1 Internet access:
Anyconnect Client - Internet - FTD - Transp.Proxy - Internet

Scenario 2 access to internal:
Anyconnect Client - Internet - FTD - internal

MHM Cisco World · ‎08-21-2024

Scenario 2 access to internal:
Anyconnect Client - Internet - FTD - internal <<- this scenario if you add static route to 10.2.2.x instead of default route tunneled I think there is no problem at all

Scenario 1 Internet access:
Anyconnect Client - Internet - FTD - Transp.Proxy - Internet<<- how transp proxy connect to internet via FTD' i.e. the traffic retrun to FTD to access internet ?

MHM

D Le Wando · ‎08-21-2024

Scenario 1 Internet access:
Anyconnect Client - Internet - FTD - Transp.Proxy - Internet<<- how transp proxy connect to internet via FTD' i.e. the traffic retrun to FTD to access internet ?
--> No. The Transp.Proxy has it's own Internet access

Marius Gunnerud · ‎08-21-2024

Does the proxy have a public IP configured directly on an interface or is it an IP NAT'ed through the FTD?

Or perhaps is the proxy just a "bump in the wire" meaning just forwarding traffic without changing source or destination IP?

I think the issue might be the second scenario.

The traffic from AnyConnect reaches the FTD and the FTD creates a connection for this session and sends the traffic to the proxy server.
proxy server inspects traffic and forwards the traffic back to the FTD without changing any source IPs
FTD sees a second connection attempt with the same source and destination IP and flags as duplicate syn.

Solutions to this would be to have the proxy perform NAT for the source addresses, or install another internet gateway firewall / virtual firewall / context / multi instance / whatever.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎08-22-2024

FTD: How to enable TCP State Bypass Configuration using FlexConfig Policy - Cisco

If the egress different than ingress then try use tcp bypass for traffic from VPN Pool to ANY <<- dont config it ANY to ANY

MHM

Marius Gunnerud · ‎08-22-2024

TCP bypass should be a last resort, and I would suggest not using it. The issue is most likely that the proxy is just inspecting traffic and passing it back to the FTD. Solve that issue rather than using TCP bypass in my opinion.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎08-22-2024

He have duplicate Sny so this appear when there is asymmetric routing and he confirm that.

Thanks

MHM

D Le Wando · ‎08-23-2024

In real, there are 2 FTDs:
Scenario 1 Internet access:
Anyconnect Client - Internet - FTD1 (used for anyconnect) - FTD2 (used for firewalling) - Transp.Proxy - Internet

So the 2nd FTD also see the dup syn which were created by the 1st FTD:
FTD2: Duplicate TCP SYN from int-from-FTD1:10.1.1.1/54131 to int-to-transparent-proxy:193.99.144.85/443 with different initial sequence number

1st time I thought that it's dropped by ASP, but it's not. It seems that all this dup syn are forwarded to next hop

Btw, there's no NAT by FTD2 (to answer the question from @Marius Gunnerud )
The real technique of transparent proxy is not known by me, but I think it doesn't matter to the dup dync issue, because the issue is created by FTD1

ccieexpert · ‎08-25-2024

if this is easily reproducible, then you should take packet captures with trace detail option.. also provide logs of the initial connection and duplicate one.

there is a option include-decrypted.. use that for the outside interface... I feel like there is a potential loop or your last diagram is not accurate... when it goes to the internet which firewall is doing the NATing ?

D Le Wando · ‎08-26-2024

Thx for the capture hint. Now I see that NOT all packets are duplicated. I tried with my own client and see NO dup. So it seems that there's something special that causes dup packets ... I will troubleshoot this deeper...
BTW, the NAT is done from transparent Proxy or behind. There's no NAT on FTD1/FTD2

D Le Wando · ‎08-26-2024

I picked 1 syslog message "%FTD-4-419002: Duplicate TCP SYN from int-outside:10.x.x.x/56521 to int-inside:10.y.y.y/443 with different initial sequence number"
and checked outside + inside capture. Both captures show me that there's no duplicate packet at all regarding this syslog message. So in real, the FTD1 is NOT creating any additional packet or whatever. All packets which are in the tunnel (from outside) are the same as routed to internal.
So all seems good for me now. It's very annoing that my syslog is flooded with this messages (if severity is set to "warning" instead of "error", but I added a syslog level feature "419002" with 1 message and interval of 1 second now. With this setting, the flooding is stopped now.
Thx to all of you guys for your support!