cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
942
Views
3
Helpful
6
Replies

%FTD Duplicate TCP SYN from inside to outside with different initial

amralrazzaz
Level 5
Level 5

Hello all

I'm receiving hundreds of warning messages i am getting in our syslog from our Cisco ASA 5516-x. The warning message is:

Message: %FTD-4-419002: Duplicate TCP SYN from it-client-ap:10.245.xx.1x/54557 to outside:5x.1xx.1x9.x/443 with different initial sequence number
Message: %FTD-4-419002: Duplicate TCP SYN from it-client-ap:10.245.xx.1x/50650 to outside:5x.1xx.1x9.x/443 with different initial sequence number
Message: %FTD-4-419002: Duplicate TCP SYN from it-client-ap:10.245.xx.1x/50650 to outside:5x.1xx.1x9.x/443 with different initial sequence number

This messages appears during working hours when users connected to WIFI office VLAN using the inside ASA port (it-client-ap) and maybe on other vlans like LAN but what im facing now is big numbers of warning massages coming through that interface above

im not sure if this is kind of flooding attack of kid of DoS attacks but how can i resolve this issue and what kind of show commands that i can use to troubleshoot and try to solve ,

Note: Also i have no problems with any services on my private network, like internet connection and VPN S2S works fine, though I'm still concerned about what's going on because there's large amount of those logs per day

Current ASA version is : Cisco ASA5516-X Threat Defense (75) Version 7.0.1 (Build 84)
Also no routing configured on ASA and ASA is directly connected to L3 core switch

amralrazzaz_1-1712331470872.png

 

amralrazzaz_0-1712331612135.png

 

 

 

 

 

amr alrazzaz
6 Replies 6

check is there is any asymmetric in routing 

MHM

Can you please share with me more details and how to check !? 

No routing configured on the  ASA its just 

ISP---ASA---L3 CORE SWITCH

amralrazzaz_0-1712331821796.png

 

     

 

amr alrazzaz

It clear there is no need routing all subnet direct connect (except defualt route for internet it needed...)

Check this link

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.html

It can DDoS so shun the IP or add ACL drop connect from this IP.

MHM

Can show me how to shun the IP addresses which appears on logsys and what does shun do to that ip , is it blocking that ip totally from accessing the network or just block the huge traffic coming from that device ! because i have more devices with same massages coming from them!

amr alrazzaz

@amralrazzaz if this traffic is from source inside to outside, then a device on the inside of the network is either spoofing traffic or misbehaving.

Error Message %FTD-4-419002: Received duplicate TCP SYN from in_interface :src_address /src_port to out_interface :dest_address /dest_port with different initial sequence number.

Explanation A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number from the SYN that opened the embryonic connection. This may indicate that SYNs are being spoofed. This message occurs in Release 7.0.4.1 and later.

Is it just the one device (10.245.xx.1x) or multiple devices generating these alerts?

I would physically find the device(s) that is generating these events and see if its a rogue device or there is an issue with it and if needs be remove it from the network.

Dear its coming from multiple devices , i thin whenever there is client connected to wifi office it keep sending these kind of waring massages from them to our syslog system not only one device and once all these client disconnected from the wifi office network this massage disappeared

 

 

amr alrazzaz
Review Cisco Networking for a $25 gift card