f



ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN

An ASA 5510 I'm running as an IPSec gateway is producing lots of log
messages like this:

%ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to outside:10.2.160.51/80 with different initial sequence number

Why is this bad, or even worth reporting?

Is the obvious solution ("no logging message 419002") also the correct one?

TIA
Tilman

PS: The CCO Error Message Decoder doesn't even know that message and its
only suggestion is I might have mistyped it.

-- 
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
0
Tilman
1/31/2008 11:29:17 AM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

5 Replies
8980 Views

Similar Articles

[PageSpeed] 57

* Tilman Schmidt wrote:
> An ASA 5510 I'm running as an IPSec gateway is producing lots of log
> messages like this:
>
> %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
> outside:10.2.160.51/80 with different initial sequence number
>
> Why is this bad, or even worth reporting?

TCP SYN packets might be lost and resend without modification. That's normal.

TCP SYN packets with different sequence numbers are the way to go for
opening TCP sessions using a spoofed source IP. This is a serious attack.
It's hard to trace the sender, because you can't trust the src IP. So you
have to got the routers backward in order to find the attacker.

In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.
0
Lutz
1/31/2008 11:40:15 AM
Lutz Donnerhacke wrote:
> * Tilman Schmidt wrote:
>> An ASA 5510 I'm running as an IPSec gateway is producing lots of log
>> messages like this:
>>
>> %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
>> outside:10.2.160.51/80 with different initial sequence number
>>
>> Why is this bad, or even worth reporting?
> 
> TCP SYN packets might be lost and resend without modification. That's normal.
> 
> TCP SYN packets with different sequence numbers are the way to go for
> opening TCP sessions using a spoofed source IP. This is a serious attack.
> It's hard to trace the sender, because you can't trust the src IP. So you
> have to got the routers backward in order to find the attacker.
> 
> In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.

Hmm. The guy with 192.168.1.100 is me. :-)

The network behind the ASA's inside interface is completely under my
control, with the ASA being the only gateway, so I'm reasonably sure
there's no source IP address spoofing going on.
192.168.1.100 is a Windows Server 2003 I manage. It is running Tandberg
videoconferencing management software (TMS) and nothing else. It is
certainly running nothing that can be considered as "hacking software".
10.2.160.51 is one of the managed conferencing devices, and these
thingies actually do have a web interface for management, so an access
to its port 80 from my management server is absolutely plausible too.
In sum, this traffic is, with a probability bordering on certainty,
legitimate.

Should I complain to the software manufacturer for violation of RFCs?
Which ones?

Thx
T.

-- 
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
0
Tilman
2/1/2008 5:57:09 PM
* Tilman Schmidt wrote:
> Lutz Donnerhacke wrote:
>> In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.
>
> Hmm. The guy with 192.168.1.100 is me. :-)

You are an bad guy, arn't you? ;-)

> In sum, this traffic is, with a probability bordering on certainty,
> legitimate.

Capture the network traffic and ask Daniel Rosen in your company to assist
you in debugging it.
0
Lutz
2/4/2008 11:33:28 AM
Am 04.02.2008 12:33 schrieb Lutz Donnerhacke:
> * Tilman Schmidt wrote:
> 
>> In sum, this traffic is, with a probability bordering on certainty,
>> legitimate.
> 
> Capture the network traffic and ask Daniel Rosen in your company to assist
> you in debugging it.

Sorry, no one with that name on our payroll. I can't help wondering
who you think my company is.

No hint what I should be looking for, so I can go after this myself?

-- 
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
0
Tilman
2/17/2008 12:57:40 AM
* Tilman Schmidt wrote:
> Sorry, no one with that name on our payroll. I can't help wondering
> who you think my company is.

Sorry, I took it from the newsserver you are using.

> No hint what I should be looking for, so I can go after this myself?

You have to go youself or ask your ISP or any other expert to help you.
0
Lutz
2/18/2008 12:07:36 PM
Reply:

Similar Artilces:

IPSec PIX 501
In a VPN of eight PIXen (501 and 515E), fully meshed with IPSec tunnels, one of the nodes has been upgraded to an ASA 5510 to increase performance. I have migrated the config according to the book, and everything is running fine, but the new ASA is spamming my central log server with messages like this: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xxxxxxxxx, sequence number= 0xxxxx) from <pix-ip> (user= <pix-ip>) to <asa-ip>. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as <asa-client>, ...

%PIX-4-419002: Duplicate TCP SYN ?!?!?!?!?!
I'm getting the following messages 7 times a minute from 2 inside addresses to the same destination host. %PIX-4-419002: Duplicate TCP SYN from inside-HBG:10.1.0.133/1025 to outside-HBG:10.12.0.10/4606 with different initial sequence number The destination host network is a DSL Network on the back side a a Cisco 1700 series VPNd into a PIX. That particular host does not exist. I've checked the 10.1.0.133 PC and it is sending the packets but i dont know what process is doing it. help!!! ...

ASA error %ASA-4-402126 "please forward this to Cisco"
One of my ASA 5505s greeted me today with these messages: %ASA-4-402125: CRYPTO: The ASA hardware accelerator Ipsec ring timed out (Desc= 0x3062968, CtrlStat= 0x8000, ResultP= 0x1A89F90, ResultVal= 255, Cmd= 0x11, CmdSize= 0, Param= 0x0, Dlen= 49, DataP= 0x1A89F4C, CtxtP= 0x3953140, SWReset= 1) %ASA-4-402126: CRYPTO: The ASA created Crypto Archive File < disk0:/crypto_archive/crypto_arch_2.bin > as a Soft Reset was necessary. Please forward this archived information to Cisco I salvaged the crypto_arch_2.bin file and the crypto_arch_1.bin one I found beside it. (Seems that it was the se...

cisco asa 8.4 + cisco vpn client
explain that I did not do so. need to arrange a remote connection, for those who do not know, much has changed in 8.4. this configuration of the docks from the site cisco.com hostname(config)# interface ethernet0 hostname(config-if)# ip address 10.10.4.200 255.255.0.0 hostname(config-if)# nameif outside hostname(config-if)# no shutdown hostname(config)# crypto ikev1 policy 1 hostname(config-ikev1-policy)# authentication pre-share hostname(config-ikev1-policy)# encryption 3des hostname(config-ikev1-policy)# hash sha hostname(config-ikev1-policy)# group 2 hostname(config-ikev1-policy)# lifetime...

Cisco ASA 5510
Hi I need help, I have the following 1 x dlink dsl router, pppoa connection to outside world. 1 x ASA 5510 1 dlink attached to the asa 1 switch attached to the asa the inside lan ip range is from 10.xx.xx.xx/24 the interface of the dlink is 10.10.1.1 I would like to permit all traffic inbound and outboud from the dlink into the asa and out through the lan interface. Also with NAT and vpn from the dlink to the lan I have a pppoa conenction BT on the Dlink then on the internal interface I have the ip address 10.0.0.3. I can not get anything to go anywhere and do not really know why, I r...

Cisco ASA 5510
Hi I need help, I have the following 1 x dlink dsl router, pppoa connection to outside world. 1 x ASA 5510 1 dlink attached to the asa 1 switch attached to the asa the inside lan ip range is from 10.xx.xx.xx/24 the interface of the dlink is 10.10.1.1 I would like to permit all traffic inbound and outboud from the dlink into the asa and out through the lan interface. Also with NAT and vpn from the dlink to the lan I have a pppoa conenction BT on the Dlink then on the internal interface I have the ip address 10.0.0.3. I can not get anything to go anywhere and do not really know why, I r...

Cisco ASA logging
Hi, I have my cisco ASA logging to a syslog server. Is there a way for the ASA to find resolve the websites that the users are visiting (instead of IPs, actual DNS names)? Also, is there a way for it to track the user who is accessing it instead of the workstation and IP? I do not want to use a proxy if the ASA can do this, and I do not want to use ISA. I might try Squid on a Linux box if the ASA cannot. Thanks so much for any advice. In article <1175011651.804430.20990@y66g2000hsf.googlegroups.com>, KDawg44 <KDawg44@gmail.com> wrote: >I have my cisco ASA logging to a sys...

logging on ASA 5510
Hi All I have some problem: I'd like set logging to my syslog in that way: notification -> send to local.2 in syslog now i configure : logging trap notification, but the traps are send to local4 or with flag local4. I can't change it to another localx. thx for clue best regards Ted On Mar 25, 8:22 am, ted <t...@interia.eu> wrote: > Hi All > > I have some problem: > > I'd like set logging to my syslog in that way: > > notification -> send to local.2 in syslog > > now i configure : > logging trap notification, but the traps are s...

Cisco ASA 5510 to Cisco PIX 506E VPN Tunnel, Dropping RDP
Hi All I have a customer that has been using a Cisco PIX 506E to Cisco PIX 506E site-to-site VPN tunnel that I set up around 5 years ago. I have recently purchased a new Cisco ASA 5510 to replace one of the 506s. When the ASA 5510 is in place, RDP connections across the VPN tunnel to a terminal server are randomly disconnected. I have swapped the 506E back into production and the connections NEVER drop. In an effort to troubleshoot, I downgraded the ASA 5510 to v7.23 from 8.0. Problem instantly reoccurred. I have called TAC to confirm the configuration is correct, which it is. The other...

Cisco ASA Syslog Messages
We recently purchased a piece of software that is going to inspect our syslog log files and alert us based on specific queries. The software however was not written to read Cisco syslog specifically so we have to define pretty tightly what we want to alert on. I have been reviewing the documentation regarding the ASA/PIX syslog format and it seems helpful except there are so many damn messages and message types. Does anyone have any suggestions regarding what things to specifically look for in the logs. I know this is a very vague question and I know a lot of it is based on the position and f...

Cisco ASA 5510 and Apple iPhone
I'm trying a couple of weeks to get an IPSEC VPN connection from an iPhone with the new Apple IPSEC Client to a Cisco ASA 5510. Neither the ASDM configuration nor a CLI configuration works. Does anybody have a running config? Walter Neu a �crit : > I'm trying a couple of weeks to get an IPSEC VPN connection from an > iPhone with the new Apple IPSEC Client to a Cisco ASA 5510. Neither the > ASDM configuration nor a CLI configuration works. > > Does anybody have a running config? Did you buy the mobile license ? Otherwise the L2TP/IPSec is an alternate solution wh...

Cisco ASA 5510 MSS Issue
I have a Cisco ASA 5510 appliance at my corporate office and cisco 1811's at our branch sites. I am troubleshooting some connectivity issues with a new Exchange server on the network. Troubleshooting as led me to think that the problem is a fragmentation issue on the network. When I started looking at the router configs ( 1811 ) i noticed that the previous network admin had set the default mss size to 1300, however no one could tell me why this had been done. I have heard of this being done to resolve some web browsing errors, but I have removed the setting and no one is complaining. Since...

Cisco ASA 5510 and MPLS VPN ?
Hi Does the Cisco ASA5510 or 5520 can support MPLS VPN / VRF / MPBGP ? Thanks Mag "Mag" <mag@laposte.net> wrote in message news:49840513$0$18760$426a74cc@news.free.fr... > Hi > > Does the Cisco ASA5510 or 5520 can support MPLS VPN / VRF / MPBGP ? > > Thanks > Mag Nope, no vrf or bgp support in an ASA. You can however place an ASA in transparent mode between the ethernet handoff of the MPLS router and the local LAN. By doing transparent mode you don't have to worry about adding extra subnets to each location. ...

Cisco ASA 5510 WebVPN SSL
I have a Cisco ASA 5510 with WebVPN running. The user connects with name and password and it downloads the WebVPN SSL client. (we do not used the full VPN Client as the webvpn allows connection from any PC without any client configuration). Well not quite any PC. It all fails on 64bit OS, 64bit vista or 64bit 2003. How do I get around this? (other than using 32 bit os). Thanks spacemancw wrote: > Well not quite any PC. It all fails on 64bit OS, 64bit vista or 64bit > 2003. How do I get around this? (other than using 32 bit os). Thanks Someone's compiled vpnc for Windows and bun...

Web resources about - ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN - comp.dcom.sys.cisco

Resources last updated: 2/9/2016 10:15:41 PM