duplicate TCP sequence number?

saidfrh · ‎05-14-2008

The following is a message from a syslog server. Duplicate TCP SYN is not right. Any suggestions on the following message would be appreciated.

07:40:25: %ASA-4-419002: Duplicate TCP SYN from Inside: 192.168.1.170/3229 to outside:82.42.69.140/4219 with different initial sequence number

*I can not find who has IP 192.168.1.170. Trend Micro shows no one on the LAN (who has Trend Micro) using .170

mchin345 · ‎05-20-2008

Duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed.

rmeans · ‎09-04-2008

What happens to the duplicate TCP SYN packet? Is the packet dropped or passed to the end host?

paulhignutt · ‎09-04-2008

Message:

http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wpxref37984

I'd say that this is suspicious, have you looked for a corresponding ARP entry from a L3 device? It may have a local firewall, but your L3 switch/router that is closest to that VLAN will have an ARP entry for the address if it exists. From that you can get the MAC address, and from there you can trace down which port the device is on if you have manageable switches.