shall i collect all these unknow IP addresses and shun them all !? these IP addresses coming from outside to inside or trying to access my system some how if im right according to the massages on syslog !? if yes so how to shun them all from ASA FTD GUI ? shall i use flexconnect option ! can u share with me please how ?

outside:
received (in 1984295.120 secs):
231191595 packets 186672209093 bytes
1 pkts/sec 94001 bytes/sec
transmitted (in 1984295.120 secs):
144647652 packets 62228603626 bytes
1 pkts/sec 31001 bytes/sec
1 minute input rate 16 pkts/sec, 4230 bytes/sec
1 minute output rate 13 pkts/sec, 5582 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 13 pkts/sec, 3383 bytes/sec
5 minute output rate 11 pkts/sec, 4858 bytes/sec
5 minute drop rate, 0 pkts/sec

Also regarding the Duplicate TCP SYN massages forming from internet clients who are connecting to wifi office !! shall i shun them also ? and what is shun doing exactly ?

I know your issue is urgently but for me I need some time to check points ypu share' sorry for late reply.

Now' I real your reply and other comment

And I retrun to point that there is asymmetric or loop routing'

You mention that this direct connect L3SW and ISP' 

You need defualt route but I think you use pppoe to ISP abd you auto get defualt route' please confirm this point?

To make sure that this is not loop

Select any IP appear in log

Do packet-tracer 

And see the ingress and egress of packet is it same or not.

Waiting your reply 

Thanks 

MHM

simple lab and wrong routing generate LOOP 
as you can see same log you get.
so one Q
are you connect two port of FTD to same SW ? or is ISP have any connection to L3SW?

MHM

@Rob Ingram Thanks dear and i have 1st question , so these hundreds of massages coming to syslog i can ignore as all these connections denied already form outside to 192.168.1.73 (outside ASA i/f)?  and this is the part of accessing from internet or outside to my ASA using outside I/F ! so shall i ignore ?

2nd question is for %FTD Duplicate TCP SYN from inside to outside with different initial !!

This messages appears during working hours when users connected to WIFI office VLAN using the inside ASA port (it-client-ap)  and its disappearing when users leave office ! so i have just apply the below action using flexconnect but actually I'm not sure if this will do something or i have to remove ?

ASAFTD# show running-config all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun duration 1800
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

@amralrazzaz anything in the logs matching the syslog event id - 710003 are denied, so can be ignored.

In regard to the duplicate SYN, if you shun the traffic from the legitimate wireless users, that will block them from any communication through the Firewall. You'd be better investigating these devices and determine if it's a misbehaving client or a problem with the destination website (the logs indicate its the same destination IP).

@amralrazzaz, you need to figure out WHY 419002 messages are produced BEFORE trying to apply any commands like "set connection" and "threat-detection".

First, does 419002 always complain about 52.123.128.14 or it can contain other Internet IPs as well? (We understood that source IPs vary, but how about destination IPs)?

Second, "no routing configured" is not true. You should at least have a default route to the Internet, right? I believe your firewall runs in routed mode since you mentioned L2L VPN, right?

Third, 419002 messages are almost always produced when there is a routing loop in the network. When TCP segment goes through the firewall, the firewall randomizes its SEQ#. In case of a routing loop, if the same packet is again received by the firewall, it prints 419002 and drops the packet. You need to carefully examine your physical topology (L1) and logical topology (L2) and configuration (of the switch) and then collect captures on the firewall interfaces to find out why the firewall sees same packet few times. E.g. in the past such issues could be caused by Windows computers bridging between wireless and wired interfaces, although it's hard to believe that you're facing with this issue today.

106023 messages are produced when the packet is dropped by the interface ACL. Usually they're useless and hence it's typically recommended to add "log" option to ACL lines (to optimize and convert them to 106100) or "log disable" (to get rid of them completely). This should be possible in the GUI too.

711004 pertains to CPU utilization which can increase significantly if traffic rate is high (again, a loop?). You can increase logging level for them to 2 and pay attention to "show cpu detail".

HTH

@tvotna Dear i have configured the below and not sure if it will impact or not & also i HYG the CPU details on below:

Basic-rate-Threat-Detection :-
threat-detection basic-threat
threat-detection rate acl-drop rate-interval 1200 average-rate 250 burst-rate 550

Threat-Detection-statistics :-
threat-detection statistics host number-of-rate 2
threat-detection statistics tcp-intercept
threat-detection statistics tcp-intercept rate-interval 45 burst-rate 400 average-rate 100

Threat-Detection-Scanning-shun: :-
threat-detection scanning-threat
threat-detection rate scanning-threat rate-interval 1200 average-rate 250 burst-rate 550
threat-detection scanning-threat shun
threat-detection scanning-threat shun duration 1000

Embryonic-connections-limitation:-
class-map tcp_syn
match port tcp eq 80
match port tcp eq 443
match port tcp eq 23
match port tcp eq 22
match port tcp eq 21
policy-map global_policy
class tcp_syn
set connection conn-max 100
set connection embryonic-conn-max 200
set connection per-client-embryonic-max 10
set connection per-client-max 5
set connection random-sequence-number enable
set connection timeout embryonic 0:0:45
set connection timeout half-closed 0:25:0
set connection timeout tcp 2:0:0
service-policy global_policy global

ProtectingAgainst-IP-Spoofing-Attacks:-
ip verify reverse-path interface outside

> show cpu usage

CPU utilization for 5 seconds = 3%; 1 minute: 2%; 5 minutes: 1%
> show cpu core
Core 5 sec 1 min 5 min
Core 0 1.0% 1.0% 0.7%
Core 1 0.8% 0.7% 0.6%
> show cpu profile
No profiling data.
> show cpu detailed

Break down of per-core data path versus control point cpu usage:
Core 5 sec 1 min 5 min
Core 0 0.4 (0.4 + 0.0) 0.9 (0.7 + 0.1) 0.6 (0.5 + 0.0)
Core 1 0.4 (0.4 + 0.0) 0.8 (0.6 + 0.1) 0.7 (0.5 + 0.0)

Current control point elapsed versus the data and control point elapsed for:
5 seconds = 18.3%; 1 minute: 18.1%; 5 minutes: 18.1%

CPU utilization of external processes for:
5 seconds = 0.4%; 1 minute: 0.9%; 5 minutes: 0.5%

Total System CPU utilization for:
5 seconds = 1.0%; 1 minute: 1.9%; 5 minutes: 1.4%> show cpu usage > show cpu core> show cpu profile > show cpu detailed

New massages came to syslog after apply the above configuration and its users at office complain of no internet connection !

By default FTD / ASA running FTD software does not accept management connections to data interfaces.  Are you by chance managing the FTD via a data interface?

Dear its not by data interface its only by management interface ! but its not stable and the webserver GUI like 60% of the time is down and then coming up again! which means something like DDoS attack or hundreds of massages coming to syslog from outside as requests to access and denied for sure ! But im not sure if this is reason of down time the https GUI ! i can reach to ASA via putty SSH normally anytime but GUI no coz always not stable between up and down !!

One Note:

i think when i applied the below command the GUI connectivity back to stability but on other hands the users at office complain of no internet connection because its shunned all ip addresses which cause TCP SYN ACK issue !

Threat-Detection-Scanning-shun: :-
threat-detection scanning-threat
threat-detection rate scanning-threat rate-interval 1200 average-rate 250 burst-rate 550
threat-detection scanning-threat shun
threat-detection scanning-threat shun duration 1000

Then i removed it again to return back the internet connection to users !!