Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

duplicate TCP sequence number?

The following is a message from a syslog server. Duplicate TCP SYN is not right. Any suggestions on the following message would be appreciated.

07:40:25: %ASA-4-419002: Duplicate TCP SYN from Inside: 192.168.1.170/3229 to outside:82.42.69.140/4219 with different initial sequence number

*I can not find who has IP 192.168.1.170. Trend Micro shows no one on the LAN (who has Trend Micro) using .170

3 REPLIES
Silver

Re: duplicate TCP sequence number?

Duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed.

New Member

Re: duplicate TCP sequence number?

What happens to the duplicate TCP SYN packet? Is the packet dropped or passed to the end host?

New Member

Re: duplicate TCP sequence number?

Message:

http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wpxref37984

I'd say that this is suspicious, have you looked for a corresponding ARP entry from a L3 device? It may have a local firewall, but your L3 switch/router that is closest to that VLAN will have an ARP entry for the address if it exists. From that you can get the MAC address, and from there you can trace down which port the device is on if you have manageable switches.

7356
Views
0
Helpful
3
Replies
CreatePlease login to create content