ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN

Discussion in 'Cisco' started by Tilman Schmidt, Jan 31, 2008.

  1. An ASA 5510 I'm running as an IPSec gateway is producing lots of log
    messages like this:

    %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to outside:10.2.160.51/80 with different initial sequence number

    Why is this bad, or even worth reporting?

    Is the obvious solution ("no logging message 419002") also the correct one?

    TIA
    Tilman

    PS: The CCO Error Message Decoder doesn't even know that message and its
    only suggestion is I might have mistyped it.

    --
    Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
     
    Tilman Schmidt, Jan 31, 2008
    #1
    1. Advertisements

  2. * Tilman Schmidt wrote:
    > An ASA 5510 I'm running as an IPSec gateway is producing lots of log
    > messages like this:
    >
    > %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
    > outside:10.2.160.51/80 with different initial sequence number
    >
    > Why is this bad, or even worth reporting?


    TCP SYN packets might be lost and resend without modification. That's normal.

    TCP SYN packets with different sequence numbers are the way to go for
    opening TCP sessions using a spoofed source IP. This is a serious attack.
    It's hard to trace the sender, because you can't trust the src IP. So you
    have to got the routers backward in order to find the attacker.

    In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.
     
    Lutz Donnerhacke, Jan 31, 2008
    #2
    1. Advertisements

  3. Lutz Donnerhacke wrote:
    > * Tilman Schmidt wrote:
    >> An ASA 5510 I'm running as an IPSec gateway is producing lots of log
    >> messages like this:
    >>
    >> %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
    >> outside:10.2.160.51/80 with different initial sequence number
    >>
    >> Why is this bad, or even worth reporting?

    >
    > TCP SYN packets might be lost and resend without modification. That's normal.
    >
    > TCP SYN packets with different sequence numbers are the way to go for
    > opening TCP sessions using a spoofed source IP. This is a serious attack.
    > It's hard to trace the sender, because you can't trust the src IP. So you
    > have to got the routers backward in order to find the attacker.
    >
    > In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.


    Hmm. The guy with 192.168.1.100 is me. :)

    The network behind the ASA's inside interface is completely under my
    control, with the ASA being the only gateway, so I'm reasonably sure
    there's no source IP address spoofing going on.
    192.168.1.100 is a Windows Server 2003 I manage. It is running Tandberg
    videoconferencing management software (TMS) and nothing else. It is
    certainly running nothing that can be considered as "hacking software".
    10.2.160.51 is one of the managed conferencing devices, and these
    thingies actually do have a web interface for management, so an access
    to its port 80 from my management server is absolutely plausible too.
    In sum, this traffic is, with a probability bordering on certainty,
    legitimate.

    Should I complain to the software manufacturer for violation of RFCs?
    Which ones?

    Thx
    T.

    --
    Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
     
    Tilman Schmidt, Feb 1, 2008
    #3
  4. * Tilman Schmidt wrote:
    > Lutz Donnerhacke wrote:
    >> In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.

    >
    > Hmm. The guy with 192.168.1.100 is me. :)


    You are an bad guy, arn't you? ;-)

    > In sum, this traffic is, with a probability bordering on certainty,
    > legitimate.


    Capture the network traffic and ask Daniel Rosen in your company to assist
    you in debugging it.
     
    Lutz Donnerhacke, Feb 4, 2008
    #4
  5. Am 04.02.2008 12:33 schrieb Lutz Donnerhacke:
    > * Tilman Schmidt wrote:
    >
    >> In sum, this traffic is, with a probability bordering on certainty,
    >> legitimate.

    >
    > Capture the network traffic and ask Daniel Rosen in your company to assist
    > you in debugging it.


    Sorry, no one with that name on our payroll. I can't help wondering
    who you think my company is.

    No hint what I should be looking for, so I can go after this myself?

    --
    Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
     
    Tilman Schmidt, Feb 17, 2008
    #5
  6. * Tilman Schmidt wrote:
    > Sorry, no one with that name on our payroll. I can't help wondering
    > who you think my company is.


    Sorry, I took it from the newsserver you are using.

    > No hint what I should be looking for, so I can go after this myself?


    You have to go youself or ask your ISP or any other expert to help you.
     
    Lutz Donnerhacke, Feb 18, 2008
    #6
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. Kevin
    Replies:
    1
    Views:
    1,093
    Walter Roberson
    Nov 10, 2004
  2. Ray
    Replies:
    2
    Views:
    5,906
  3. DJ Chiro
    Replies:
    1
    Views:
    4,546
    Rowdy Yates
    Nov 7, 2003
  4. john

    tcp/ip vs microsoft tcp/ip ver 6

    john, Aug 5, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    3,973
  5. Scott Townsend
    Replies:
    0
    Views:
    7,034
    Scott Townsend
    May 24, 2006
  6. Pavel Aronovich
    Replies:
    0
    Views:
    801
    Pavel Aronovich
    Feb 22, 2004
  7. Tilman Schmidt
    Replies:
    0
    Views:
    4,099
    Tilman Schmidt
    Jan 24, 2008
  8. j1344
    Replies:
    0
    Views:
    1,263
    j1344
    Jul 23, 2009
Loading...