Application detection and duplicate TCP/SYN

Hi, Team!

I have a problem with suricata application detection, if there is one duplicate TCP/SYN in each flow (due to the network traffic span architecture reasons). Seems to be, suricata can’t legitimate this TCP flow, therefore, can’t decode application. Is there any workarounds? How can I achieve this?


Do you have an example pcap for that?
Which version are you running and how does your config look like?

Suricata version is 6.0.5
PCAP and settings files:
files.tgz (45.2 KB)