ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN

TCP SYN packets might be lost and resend without modification. That's normal.

TCP SYN packets with different sequence numbers are the way to go for opening TCP sessions using a spoofed source IP. This is a serious attack. It's hard to trace the sender, because you can't trust the src IP. So you have to got the routers backward in order to find the attacker.

In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.

Hmm. The guy with 192.168.1.100 is me. :-)

The network behind the ASA's inside interface is completely under my control, with the ASA being the only gateway, so I'm reasonably sure there's no source IP address spoofing going on.

192.168.1.100 is a Windows Server 2003 I manage. It is running Tandberg videoconferencing management software (TMS) and nothing else. It is certainly running nothing that can be considered as "hacking software". 10.2.160.51 is one of the managed conferencing devices, and these thingies actually do have a web interface for management, so an access to its port 80 from my management server is absolutely plausible too. In sum, this traffic is, with a probability bordering on certainty, legitimate.

Should I complain to the software manufacturer for violation of RFCs? Which ones?

Thx T.

You are an bad guy, arn't you? ;-)

Capture the network traffic and ask Daniel Rosen in your company to assist you in debugging it.

Sorry, no one with that name on our payroll. I can't help wondering who you think my company is.

No hint what I should be looking for, so I can go after this myself?

Sorry, I took it from the newsserver you are using.

You have to go youself or ask your ISP or any other expert to help you.