Can you please provide the following additional information? Describe the general setup, what interfaces you have, where those specific connections flow through (what interface does the first SYN arrive through, which interface is connected to the default gateway, what interface should it be routed to).
Try to reduce the ruleset to the minumum that reproduces the problem. What translation and filter rules are relevant to these connections. Quote any translation and filter rules that apply to these connections on any interface. When the first SYN arrives on the first interface, does the rule translate it, does the rule create state (pfctl -vvss output might help)? Do any other rules (matching on other interfaces) try to create state, too? Any other translations? For the state insert failures you get from /var/log/messages with pfctl -xm, can you try to provide one example of a single connection, including tcpdump of the first SYN on all interfaces, any states that are related to that connection (pfctl -vvss) and the state failure message itself? A state insert fails when there is another state entry with conflicting key (source/destination address/port), which can occur when translations and route-to mess up. I'll have to walk through the code manually to find out what is broken, what I need is all information related to one such connection (what interfaces packets flow through, what rules they match there, and which states they create). Daniel
