Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN

2,996 views
Skip to first unread message

Tilman Schmidt

unread,
Jan 31, 2008, 6:29:17 AM1/31/08
to
An ASA 5510 I'm running as an IPSec gateway is producing lots of log
messages like this:

%ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to outside:10.2.160.51/80 with different initial sequence number

Why is this bad, or even worth reporting?

Is the obvious solution ("no logging message 419002") also the correct one?

TIA
Tilman

PS: The CCO Error Message Decoder doesn't even know that message and its
only suggestion is I might have mistyped it.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

Lutz Donnerhacke

unread,
Jan 31, 2008, 6:40:15 AM1/31/08
to
* Tilman Schmidt wrote:
> An ASA 5510 I'm running as an IPSec gateway is producing lots of log
> messages like this:
>
> %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
> outside:10.2.160.51/80 with different initial sequence number
>
> Why is this bad, or even worth reporting?

TCP SYN packets might be lost and resend without modification. That's normal.

TCP SYN packets with different sequence numbers are the way to go for
opening TCP sessions using a spoofed source IP. This is a serious attack.
It's hard to trace the sender, because you can't trust the src IP. So you
have to got the routers backward in order to find the attacker.

In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.

Tilman Schmidt

unread,
Feb 1, 2008, 12:57:09 PM2/1/08
to

Hmm. The guy with 192.168.1.100 is me. :-)

The network behind the ASA's inside interface is completely under my
control, with the ASA being the only gateway, so I'm reasonably sure
there's no source IP address spoofing going on.
192.168.1.100 is a Windows Server 2003 I manage. It is running Tandberg
videoconferencing management software (TMS) and nothing else. It is
certainly running nothing that can be considered as "hacking software".
10.2.160.51 is one of the managed conferencing devices, and these
thingies actually do have a web interface for management, so an access
to its port 80 from my management server is absolutely plausible too.
In sum, this traffic is, with a probability bordering on certainty,
legitimate.

Should I complain to the software manufacturer for violation of RFCs?
Which ones?

Thx
T.

Lutz Donnerhacke

unread,
Feb 4, 2008, 6:33:28 AM2/4/08
to
* Tilman Schmidt wrote:

> Lutz Donnerhacke wrote:
>> In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.
>
> Hmm. The guy with 192.168.1.100 is me. :-)

You are an bad guy, arn't you? ;-)

> In sum, this traffic is, with a probability bordering on certainty,
> legitimate.

Capture the network traffic and ask Daniel Rosen in your company to assist
you in debugging it.

Tilman Schmidt

unread,
Feb 16, 2008, 7:57:40 PM2/16/08
to
Am 04.02.2008 12:33 schrieb Lutz Donnerhacke:

> * Tilman Schmidt wrote:
>
>> In sum, this traffic is, with a probability bordering on certainty,
>> legitimate.
>
> Capture the network traffic and ask Daniel Rosen in your company to assist
> you in debugging it.

Sorry, no one with that name on our payroll. I can't help wondering
who you think my company is.

No hint what I should be looking for, so I can go after this myself?

Lutz Donnerhacke

unread,
Feb 18, 2008, 7:07:36 AM2/18/08
to
* Tilman Schmidt wrote:
> Sorry, no one with that name on our payroll. I can't help wondering
> who you think my company is.

Sorry, I took it from the newsserver you are using.

> No hint what I should be looking for, so I can go after this myself?

You have to go youself or ask your ISP or any other expert to help you.

0 new messages