Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN

Reply
Thread Tools

ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN

 
 
Tilman Schmidt
Guest
Posts: n/a
 
      01-31-2008
An ASA 5510 I'm running as an IPSec gateway is producing lots of log
messages like this:

%ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to outside:10.2.160.51/80 with different initial sequence number

Why is this bad, or even worth reporting?

Is the obvious solution ("no logging message 419002") also the correct one?

TIA
Tilman

PS: The CCO Error Message Decoder doesn't even know that message and its
only suggestion is I might have mistyped it.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
 
Reply With Quote
 
 
 
 
Lutz Donnerhacke
Guest
Posts: n/a
 
      01-31-2008
* Tilman Schmidt wrote:
> An ASA 5510 I'm running as an IPSec gateway is producing lots of log
> messages like this:
>
> %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
> outside:10.2.160.51/80 with different initial sequence number
>
> Why is this bad, or even worth reporting?


TCP SYN packets might be lost and resend without modification. That's normal.

TCP SYN packets with different sequence numbers are the way to go for
opening TCP sessions using a spoofed source IP. This is a serious attack.
It's hard to trace the sender, because you can't trust the src IP. So you
have to got the routers backward in order to find the attacker.

In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.
 
Reply With Quote
 
 
 
 
Tilman Schmidt
Guest
Posts: n/a
 
      02-01-2008
Lutz Donnerhacke wrote:
> * Tilman Schmidt wrote:
>> An ASA 5510 I'm running as an IPSec gateway is producing lots of log
>> messages like this:
>>
>> %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
>> outside:10.2.160.51/80 with different initial sequence number
>>
>> Why is this bad, or even worth reporting?

>
> TCP SYN packets might be lost and resend without modification. That's normal.
>
> TCP SYN packets with different sequence numbers are the way to go for
> opening TCP sessions using a spoofed source IP. This is a serious attack.
> It's hard to trace the sender, because you can't trust the src IP. So you
> have to got the routers backward in order to find the attacker.
>
> In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.


Hmm. The guy with 192.168.1.100 is me.

The network behind the ASA's inside interface is completely under my
control, with the ASA being the only gateway, so I'm reasonably sure
there's no source IP address spoofing going on.
192.168.1.100 is a Windows Server 2003 I manage. It is running Tandberg
videoconferencing management software (TMS) and nothing else. It is
certainly running nothing that can be considered as "hacking software".
10.2.160.51 is one of the managed conferencing devices, and these
thingies actually do have a web interface for management, so an access
to its port 80 from my management server is absolutely plausible too.
In sum, this traffic is, with a probability bordering on certainty,
legitimate.

Should I complain to the software manufacturer for violation of RFCs?
Which ones?

Thx
T.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
 
Reply With Quote
 
Lutz Donnerhacke
Guest
Posts: n/a
 
      02-04-2008
* Tilman Schmidt wrote:
> Lutz Donnerhacke wrote:
>> In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.

>
> Hmm. The guy with 192.168.1.100 is me.


You are an bad guy, arn't you?

> In sum, this traffic is, with a probability bordering on certainty,
> legitimate.


Capture the network traffic and ask Daniel Rosen in your company to assist
you in debugging it.
 
Reply With Quote
 
Tilman Schmidt
Guest
Posts: n/a
 
      02-17-2008
Am 04.02.2008 12:33 schrieb Lutz Donnerhacke:
> * Tilman Schmidt wrote:
>
>> In sum, this traffic is, with a probability bordering on certainty,
>> legitimate.

>
> Capture the network traffic and ask Daniel Rosen in your company to assist
> you in debugging it.


Sorry, no one with that name on our payroll. I can't help wondering
who you think my company is.

No hint what I should be looking for, so I can go after this myself?

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
 
Reply With Quote
 
Lutz Donnerhacke
Guest
Posts: n/a
 
      02-18-2008
* Tilman Schmidt wrote:
> Sorry, no one with that name on our payroll. I can't help wondering
> who you think my company is.


Sorry, I took it from the newsserver you are using.

> No hint what I should be looking for, so I can go after this myself?


You have to go youself or ask your ISP or any other expert to help you.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: ASA5510: deny tcp (no connection)... flags SYN ACK jcle Cisco 1 08-05-2009 08:44 AM
Deny TCP on ASA 5510 from VPN IPSec connection j1344 Cisco 0 07-23-2009 06:18 AM
IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 Tilman Schmidt Cisco 0 01-24-2008 10:49 AM
%PIX-4-419002: Duplicate TCP SYN ?!?!?!?!?! Scott Townsend Cisco 0 05-24-2006 10:19 PM
Active/standby config for ASA 5510 Erich Reimberg N. Cisco 0 07-01-2005 01:57 PM



Advertisments