Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Duplicate TCP SYN on ASA Firewall for LPD service

Hello

On my ASA Firewall I noticed in logs the following warnings:

4    Nov 28 2013    11:31:13    419002    10.0.0.1    731    20.0.0.1    515    Duplicate TCP SYN from WAN:10.0.0.1/731 to DMZ:20.0.0.1/515 with different initial sequence number

6    Nov 28 2013    11:34:26    106015   10.0.0.1     724   20.0.0.1     515    Deny TCP (no connection) from 10.0.0.1/724 to 20.0.0.1/515 flags FIN ACK  on interface WAN

I created the service policy

class-map WAN-class

        match port tcp eq lpd

      policy-map WAN-policy

        class WAN-class

          set connection conn-max 0 embryonic-conn-max 0 per-client-max 0 per-client-embryonic-max 0 random-sequence-number disable

      service-policy WAN-policy interface WAN

After apply the map I didn't get any duplicate TCP SYN..... but after a couple of hours they had appered.

How to overcome that kind of situation?

Kind Regards

vMario

Everyone's tags (6)
1 REPLY
VIP Green

Duplicate TCP SYN on ASA Firewall for LPD service

Hi

Have you identified what machine is sending these SYN packets (ip 10.0.0.1)?  I have heard of some applications trying to initiate several connections at a time.  Have you introduced any new machines/PC to the network recently?  How long have you been seeing these messages?

I would first of all protect your network against SYN flood attacks as your network is currently wide open, given the configuration you posted.  The following config will help minimize your exposure to a SYN flood attack.

policy-map WAN-policy

class WAN-class

set connection conn-max 100

set connection embryonic-conn-max 200

set connection per-client-embryonic-max 7

set connection per-client-max 5

set connection random-sequence-number enable

set connection timeout embryonic 0:0:45

The below link goes more in depth on attack mitigation and might be worth you reading.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

--

Please rate all helpful posts

-- Please remember to rate and select a correct answer
1817
Views
0
Helpful
1
Replies