cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1577
Views
21
Helpful
39
Replies

ASA5525-- Many Duplicate TCP SYN

jmaxwellUSAF
Contributor
Contributor

Hello.

Please see below (obfuscated) printout from security monitoring software...

Duplicate TCP SYN from Inside:10.2.1.99/47266 to Inside:10.2.200.46/445 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/15256 to Inside:10.2.200.43/80 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/33535 to Inside:10.2.200.49/135 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/47266 to Inside:10.2.200.55/445 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/13201 to Inside:10.2.200.56/443 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/13201 to Inside:10.2.200.53/443 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/13201 to Inside:10.2.200.40/443 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/34252 to Inside:10.2.200.39/25 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/35397 to Inside:10.2.200.54/23 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/13201 to Inside:10.2.200.37/443 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/20 to Inside:10.2.200.37/139 with different initial sequence number
--

GIVEN:
-Above data refers to an ASA-5525 with OS Version 9.14(3)

-The source address is a datacenter server. The destination addresses are remote Anyconnect VPN users.
--

QUESTIONS:
What might be causing this symptom?

What is the next troubleshoot step?

Thank you.

1 Accepted Solution

Accepted Solutions

And all tcp packet you mention in your original post will be full your asa outside buffer.

Why I disagree this solution' the asa find longest match' the /32 is longest match and it represents active anyconnect and you can forward traffic to it

If not then asa use static route to host it not active.

This will full outside asa.

Delete it and use redistrubte connect.

It up to you 

This my view for this issue 

Thanks 

MHM

View solution in original post

39 Replies 39

@jmaxwellUSAF why are the anyconnect users (10.2.200.x) on the inside interface?

Misconfigured routing?

Run packet tracer from the CLI

Thank you for your reply.

"why are the anyconnect users (10.2.200.x) on the inside interface?" --The 10.2.200.x subnet is the subnet assigned to AnyConnect VPN connections. (by the way, there exists a split-tunnel config, but I don't think that is relevant here.)

What is wrong with AnyConnect users being on the inside interface? Where should they be?

How should routing be configured?

(Would it be best to share with you some config output?)

Thank you.

@jmaxwellUSAF the anyconnect users connect to the outside interface. You'd not connect to the VPN if you were connected to the inside interface, that's the trusted network!

The ASA doesn't need a route to the anyconnect ip pool via the inside network, if that's what you've configured.

Yes share some configuration.

I don't understand how the routing should be configured here.

What commands should I run to display helpful data here?

you dont need any route for anyconnect, when you anyconnect is active the route with /32 is add to ASA routing table with egress interface is OUTside, 
@Rob Ingram mention why these anyconnect is source from INside not from OUTside ?
you have issue in routing, did you check my link ? I think you dont. 

Hi MHM. I thought your idea was different than Rob's idea. I did check that link. I was exploring Rob's first. Now I understand that both 2 ideas may be connected.

@jmaxwellUSAF the ASA does not need a route to the anyconnect VPN pool as that network is local to the ASA. Only the other network devices need to know how to reach the anyconnect VPN pool network via the ASA, usually via the default route if the ASA is egress for the local network.

Provide your running configuration, else at minimum the output of your routing table.

Two ASA-5525 are in HA pair.

Two Nexus are standalone, connected with port channel between eachother, and have HSRP config

(10.2.222.1 is virtual HSRP ip for both Nexus)

10.2.222.2 is Vlan 888 interface on PRIMARY Nexus.

10.2.222.3 is Vlan 888 interface on SECONDARY Nexus.

--10.2.200.x is Anyconnect subnet --

Please let me know if below looks correctly configured. Thank you.

---

ASA-5525# sh route 10.2.200.0 255.255.255.0

Routing entry for 10.2.200.0 255.255.255.0
Known via "static", distance 1, metric 0
Redistributing via eigrp 1
Advertised by eigrp 1 metric 500000 1 255 1 1500
Routing Descriptor Blocks:
* 10.2.222.3, via Inside
Route metric is 0, traffic share count is 1
10.2.222.2, via Inside
Route metric is 0, traffic share count is 1
S 0.0.0.0 0.0.0.0 [255/0] via 10.2.222.1, Inside tunneled
===

ASA-5525# sh route

S 10.2.200.0 255.255.255.0 [1/0] via 10.2.222.3, Inside
[1/0] via 10.2.222.2, Inside
V 10.2.200.2 255.255.255.255 connected by VPN (advertised), Outside
V 10.2.200.3 255.255.255.255 connected by VPN (advertised), Outside
V 10.2.200.4 255.255.255.255 connected by VPN (advertised), Outside

@jmaxwellUSAF like I said remove the route from the ASA to 10.2.200.0/24 for the anyconnect VPN pool via the inside interface. That network exists on the ASA itself not on the inside network.

 

(If I don't do this correctly, all VPN users (a lot of workers) will be basically offline.)

So If i simply only remove...

10.2.200.0 255.255.255.0 [1/0] via 10.2.222.3, Inside

... the ASA will naturally then route traffic destined to 10.2.200.0 to the outside interface?

Is that it? Nothing else needs to be configured? 

The anyconnect active will appear as 

10.2.200.0/32 if there is no active anyconnect then this subnet will not appear in your RIB.

You have three active anyconnect show in your rib' make show vpn-sessiondb and check that.

@jmaxwellUSAF I appreciate it's your risk, if you are concerned make the change OOH in a change window.

The 10.2.200.0 exists on the ASA itself, connections from that anyconnect IP pool would normally be sent from the outside interface, hence my first comment indicating this as the potential problem.

Out of curiousity, are you redistributing the static route for 10.2.200.0 into a routing protocol? And using RRI?

 

"Out of curiousity, are you redistributing the static route for 10.2.200.0 into a routing protocol?"

YES. via EIGRP. 

The default gateway for the ASA is the next hop out of the external interface.

BUT

Our DMVPN router's default gateway DOES NOT cross the ASA, instead it goes directly to the ISP router.

So then, return traffic will have an asymmetric route. Will this cause issues?, such as ASA tcp syn/ack DDOS detection alerts, because the TCP syn/ack will never be detected outgoing on the incoming connections? Is there a best way to config this situation?

Please advise.

Sure there is redistrubte connect in asa will force eigrp redistrubte connect /32 anyconnect prefix appear in asa to all other network.

No need static for vpn pool in that case.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: