06-05-2023 12:52 PM
Hello.
Please see below (obfuscated) printout from security monitoring software...
Duplicate TCP SYN from Inside:10.2.1.99/47266 to Inside:10.2.200.46/445 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/15256 to Inside:10.2.200.43/80 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/33535 to Inside:10.2.200.49/135 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/47266 to Inside:10.2.200.55/445 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/13201 to Inside:10.2.200.56/443 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/13201 to Inside:10.2.200.53/443 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/13201 to Inside:10.2.200.40/443 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/34252 to Inside:10.2.200.39/25 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/35397 to Inside:10.2.200.54/23 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/13201 to Inside:10.2.200.37/443 with different initial sequence number
Duplicate TCP SYN from Inside:10.2.1.99/20 to Inside:10.2.200.37/139 with different initial sequence number
--
GIVEN:
-Above data refers to an ASA-5525 with OS Version 9.14(3)
-The source address is a datacenter server. The destination addresses are remote Anyconnect VPN users.
--
QUESTIONS:
What might be causing this symptom?
What is the next troubleshoot step?
Thank you.
Solved! Go to Solution.
06-06-2023 11:13 AM
And all tcp packet you mention in your original post will be full your asa outside buffer.
Why I disagree this solution' the asa find longest match' the /32 is longest match and it represents active anyconnect and you can forward traffic to it
If not then asa use static route to host it not active.
This will full outside asa.
Delete it and use redistrubte connect.
It up to you
This my view for this issue
Thanks
MHM
06-05-2023 12:59 PM
@jmaxwellUSAF why are the anyconnect users (10.2.200.x) on the inside interface?
Misconfigured routing?
Run packet tracer from the CLI
06-05-2023 01:52 PM
Thank you for your reply.
"why are the anyconnect users (10.2.200.x) on the inside interface?" --The 10.2.200.x subnet is the subnet assigned to AnyConnect VPN connections. (by the way, there exists a split-tunnel config, but I don't think that is relevant here.)
What is wrong with AnyConnect users being on the inside interface? Where should they be?
How should routing be configured?
(Would it be best to share with you some config output?)
Thank you.
06-05-2023 02:12 PM
@jmaxwellUSAF the anyconnect users connect to the outside interface. You'd not connect to the VPN if you were connected to the inside interface, that's the trusted network!
The ASA doesn't need a route to the anyconnect ip pool via the inside network, if that's what you've configured.
Yes share some configuration.
06-06-2023 05:24 AM
I don't understand how the routing should be configured here.
What commands should I run to display helpful data here?
06-06-2023 05:28 AM
you dont need any route for anyconnect, when you anyconnect is active the route with /32 is add to ASA routing table with egress interface is OUTside,
@Rob Ingram mention why these anyconnect is source from INside not from OUTside ?
you have issue in routing, did you check my link ? I think you dont.
06-06-2023 06:21 AM
Hi MHM. I thought your idea was different than Rob's idea. I did check that link. I was exploring Rob's first. Now I understand that both 2 ideas may be connected.
06-06-2023 05:30 AM
@jmaxwellUSAF the ASA does not need a route to the anyconnect VPN pool as that network is local to the ASA. Only the other network devices need to know how to reach the anyconnect VPN pool network via the ASA, usually via the default route if the ASA is egress for the local network.
Provide your running configuration, else at minimum the output of your routing table.
06-06-2023 07:46 AM
Two ASA-5525 are in HA pair.
Two Nexus are standalone, connected with port channel between eachother, and have HSRP config
(10.2.222.1 is virtual HSRP ip for both Nexus)
10.2.222.2 is Vlan 888 interface on PRIMARY Nexus.
10.2.222.3 is Vlan 888 interface on SECONDARY Nexus.
--10.2.200.x is Anyconnect subnet --
Please let me know if below looks correctly configured. Thank you.
---
ASA-5525# sh route 10.2.200.0 255.255.255.0
Routing entry for 10.2.200.0 255.255.255.0
Known via "static", distance 1, metric 0
Redistributing via eigrp 1
Advertised by eigrp 1 metric 500000 1 255 1 1500
Routing Descriptor Blocks:
* 10.2.222.3, via Inside
Route metric is 0, traffic share count is 1
10.2.222.2, via Inside
Route metric is 0, traffic share count is 1
S 0.0.0.0 0.0.0.0 [255/0] via 10.2.222.1, Inside tunneled
===
ASA-5525# sh route
S 10.2.200.0 255.255.255.0 [1/0] via 10.2.222.3, Inside
[1/0] via 10.2.222.2, Inside
V 10.2.200.2 255.255.255.255 connected by VPN (advertised), Outside
V 10.2.200.3 255.255.255.255 connected by VPN (advertised), Outside
V 10.2.200.4 255.255.255.255 connected by VPN (advertised), Outside
06-06-2023 07:50 AM
@jmaxwellUSAF like I said remove the route from the ASA to 10.2.200.0/24 for the anyconnect VPN pool via the inside interface. That network exists on the ASA itself not on the inside network.
06-06-2023 08:05 AM
(If I don't do this correctly, all VPN users (a lot of workers) will be basically offline.)
So If i simply only remove...
S 10.2.200.0 255.255.255.0 [1/0] via 10.2.222.3, Inside
... the ASA will naturally then route traffic destined to 10.2.200.0 to the outside interface?
Is that it? Nothing else needs to be configured?
06-06-2023 08:15 AM
The anyconnect active will appear as
10.2.200.0/32 if there is no active anyconnect then this subnet will not appear in your RIB.
You have three active anyconnect show in your rib' make show vpn-sessiondb and check that.
06-06-2023 08:33 AM - edited 06-06-2023 08:37 AM
@jmaxwellUSAF I appreciate it's your risk, if you are concerned make the change OOH in a change window.
The 10.2.200.0 exists on the ASA itself, connections from that anyconnect IP pool would normally be sent from the outside interface, hence my first comment indicating this as the potential problem.
Out of curiousity, are you redistributing the static route for 10.2.200.0 into a routing protocol? And using RRI?
06-06-2023 08:50 AM
"Out of curiousity, are you redistributing the static route for 10.2.200.0 into a routing protocol?"
YES. via EIGRP.
The default gateway for the ASA is the next hop out of the external interface.
BUT
Our DMVPN router's default gateway DOES NOT cross the ASA, instead it goes directly to the ISP router.
So then, return traffic will have an asymmetric route. Will this cause issues?, such as ASA tcp syn/ack DDOS detection alerts, because the TCP syn/ack will never be detected outgoing on the incoming connections? Is there a best way to config this situation?
Please advise.
06-06-2023 08:54 AM
Sure there is redistrubte connect in asa will force eigrp redistrubte connect /32 anyconnect prefix appear in asa to all other network.
No need static for vpn pool in that case.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: