05-14-2008 09:02 PM - edited 03-09-2019 08:42 PM
The following is a message from a syslog server. Duplicate TCP SYN is not right. Any suggestions on the following message would be appreciated.
07:40:25: %ASA-4-419002: Duplicate TCP SYN from Inside: 192.168.1.170/3229 to outside:82.42.69.140/4219 with different initial sequence number
*I can not find who has IP 192.168.1.170. Trend Micro shows no one on the LAN (who has Trend Micro) using .170
05-20-2008 11:11 AM
Duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed.
09-04-2008 10:04 AM
What happens to the duplicate TCP SYN packet? Is the packet dropped or passed to the end host?
09-04-2008 12:14 PM
Message:
http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wpxref37984
I'd say that this is suspicious, have you looked for a corresponding ARP entry from a L3 device? It may have a local firewall, but your L3 switch/router that is closest to that VLAN will have an ARP entry for the address if it exists. From that you can get the MAC address, and from there you can trace down which port the device is on if you have manageable switches.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide