Symptom

ASA/FTD Cluster may reuse the same TCP Randomized Sequence number for a SYN packet for two different connections with same 5 tuple, when the second is established seconds before the first was torndown. This reuse of TCP Random Sequence number seen on connections when egressing the Firewall, is seen besides the fact that the same SYN packets when sourced by the originating host had different TCP Sequence Numbers. As a result of the above, the target endhost receiving the SYNs as described above, may reject and do not establish the second connection. Situation that will normalize afterwards with the source host attempting another connection later on with a different 5 tuple.

Conditions

Issue is particular to: - ASA/FTD when deployed in cluster (standalone and HA not affected) - When a connection with a particular 5 tuple is created seconds after another connection with same 5 tuple was torndown.

Workaround

Only possible workaround is to selectively disable TCP Randomization via MPF: https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/firewall/asa-916-firewall-config/conns-connlimits.html#ID-2068-000003ec NOTE: As stated in the documentation above, by disabling TCP Randomization, TCP connections matching this option will cause a director query whenever a connection flows asymmetrically through the cluster, which does not necessarily represent on introduce an impact of the processing of the connection in question. Please make sure to match as more specific as possible via ACL the flow(s) impacted and to execute the change during a MW followed by acceptance testing.

Further Problem Description