ลงชื่อเข้าใช้
 
หน้าหลักLibraryเรียนรู้ดาวน์โหลดการแก้ไขปัญหาชุมชนฟอรัม
ทรัพยากรสำหรับผู้เชี่ยวชาญด้าน IT >
Firewall detected Duplicate TCP SYN from SCCM to access VPN hosts

Unanswered Firewall detected Duplicate TCP SYN from SCCM to access VPN hosts

  • 20 มีนาคม 2555 13:46
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    I have encountered a false positive detection of a SYN flood.  The syslog messages from the firewall show an incredible number of Duplicate SYN messages where the message originated from the SCCM server and the targets were Access VPN hosts.  During the TCP handshake, the sequence number used to form the embryonic connection is abandoned and a new sequence number is used, causing the firewall to detect a SYN flood.

    Apparently I am not the only one to encounter this issue, as I have found at least one other person reporting the same problem. 

    We have disabled the delta discovery feature/process to limit the pain from having so many of the messages bogging down our network, but, that is a bandaid and does not get at the root of the issue. 

    Does anyone know why the SCCM server is giving up on its TCP sequence number and moving on to a new sequence number instead of completing the handshake?

    Thanks,

    Tom

    Tom Bakry

     

ตอบทั้งหมด

  • 20 มีนาคม 2555 14:13
    ผู้ดูแล
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    Clutching at straws here but try this:

    http://blogs.technet.com/b/configurationmgr/archive/2010/06/03/solution-you-may-experience-slow-performance-when-using-bits-and-kerberos-authentication-on-configmgr-2007-distribution-points.aspx

     
  • 20 มีนาคม 2555 15:46
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0
    Not discounting the issue or saying it's not real, just than delta discovery has nothing to do with the issue. AD Discoveries only communicate with a DC.

    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

     
  • 23 มีนาคม 2555 17:52
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    Thanks for your reply.

    Not sure that we are on the same page here.  We disabled delta discovery to stop the attempts to access hosts in the remote access subnets.  Those attempts to access hosts in those particular subnets were how the firewall became aware of the problem.  Being as the subnets are on the firewall, the firewall is a part of the communications path and its syslog messages informed me of the duplicate TCP SYN problem.  I got nearly 2000 attempts per minute on each host, thankfully not all at the same time, but, still, that is an awful lot of attempts.  Multiply that out and it doesn't take a sliderule to figure out the syslog is getting hammered by the messages and a significant amount of resources are being dedicated to the project.

    Are you saying that the delta discovery is SCCM trying to hunt for DCs?

    Tom Bakry

     
  • 23 มีนาคม 2555 19:43
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    AD Discovery does not communicate with anything except a DC and DNS -- it in no way communicates with the clients. It queries AD for active computer resources and also tries to resolve their IP Addressed from DNS but that's it.

    What version and service pack of ConfigMgr are you running?

    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

     
  • 29 มีนาคม 2555 12:33
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    We are running 4.00.6487.2000 R3.

    Tom Bakry