You may sometimes see this syslog message from a Cisco ASA:
%ASA-4-419002: Received duplicate TCP SYN from in_interface : src_address / src_port to out_interface : dest_address / dest_port with different initial sequence number.
I see this a lot on VPN firewalls where packets are dropped due to the sequence numbers not being correct in TCP. This happens when the ASA randomizes the TCP sequence numbers and another device is also performing the same randomization of the TCP sequence numbers.
One way to bypass this is to disable TCP Sequence Number randomization on the ASA. This can be done on a selective basis. (NOTE: You may need this as well as Option 19 permissions if you are putting BGP through the firewall).
Here is a sample conf to disable TCP randomization for a specific subnet:
|
Comments