duplicate TCP sequence number?

Unanswered Question
May 14th, 2008
User Badges:

The following is a message from a syslog server. Duplicate TCP SYN is not right. Any suggestions on the following message would be appreciated.


07:40:25: %ASA-4-419002: Duplicate TCP SYN from Inside: 192.168.1.170/3229 to outside:82.42.69.140/4219 with different initial sequence number


*I can not find who has IP 192.168.1.170. Trend Micro shows no one on the LAN (who has Trend Micro) using .170

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Tue, 05/20/2008 - 11:11
User Badges:
  • Silver, 250 points or more

Duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed.

rmeans Thu, 09/04/2008 - 10:04
User Badges:

What happens to the duplicate TCP SYN packet? Is the packet dropped or passed to the end host?

paulhignutt Thu, 09/04/2008 - 12:14
User Badges:

Message:

http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wpxref37984


I'd say that this is suspicious, have you looked for a corresponding ARP entry from a L3 device? It may have a local firewall, but your L3 switch/router that is closest to that VLAN will have an ARP entry for the address if it exists. From that you can get the MAC address, and from there you can trace down which port the device is on if you have manageable switches.

Actions

This Discussion