We help IT Professionals succeed at work.

Duplicate TCP SYN from inside: xxx with different initial sequence number when VPN tunnels are down

jyoung1974
jyoung1974 asked
on
52 Views
Last Modified: 2020-07-03
I have an issue that has been getting worse with two of our ASA 5516x Firewalls on IOS 9.8(4)20

I have tried several different IOS versions and it does not seem to help. If the VPN tunnel is down to a site (this also happens for anyconnect clients when not connected) and there is traffic sent to them other than ICMP, the firewall lights up like a Christmas tree and it appears as though there is a DOS happening. I have tried changing NAT and VPN configurations with no success. If the even does start to occur, failing the cluster over seems to help, but that is the only thing besides restarting the firewalls.

Log messge: Duplicate TCP SYN from inside:(Legitimate traffic)/55560 to inside: (IP of system at remote site or anyconnect client) /443 with different initial sequence number

When the tunnel is up and the system can be reached there are no issues.
Comment
Watch Question

Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
That seems odd? Does the problem persist if you temporarily disable random TCP?
I'd use an ACL that matches the VPN traffic, define that in a class, disable TCP randomisation, add the class to the default policy - then retest
See: https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/conns-connlimits.html#32741 

</P>
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.