Firewall detected Duplicate TCP SYN from SCCM to access VPN hosts


  • I have encountered a false positive detection of a SYN flood.  The syslog messages from the firewall show an incredible number of Duplicate SYN messages where the message originated from the SCCM server and the targets were Access VPN hosts.  During the TCP handshake, the sequence number used to form the embryonic connection is abandoned and a new sequence number is used, causing the firewall to detect a SYN flood.

    Apparently I am not the only one to encounter this issue, as I have found at least one other person reporting the same problem. 

    We have disabled the delta discovery feature/process to limit the pain from having so many of the messages bogging down our network, but, that is a bandaid and does not get at the root of the issue. 

    Does anyone know why the SCCM server is giving up on its TCP sequence number and moving on to a new sequence number instead of completing the handshake?



    Tom Bakry

    20 มีนาคม 2555 13:46