Routing usually comes to mind with this sort of error.

Both dropped and allowed traffic coming from same interface. 

I checked them, it uses same interface.

Check the routing table of the affected server. There will be the problem.

In my case, it causes encoders not responding to PMS requests cutting room keys. 

In this case please check the routing and the interface of the accepted and droppet packet. Itt might help

Will the request work after some time or they never work? Or it works first few minutes and then stops working after an hour or so? 

> Or it works first few minutes and then stops working after an hour or so? 

Or, does it work "right away', then, if no new traffic is passing, does it work after 1 hour?

"Such things"  might happen in, for example, the following cases:

- Asymmetrical routing, when the "reply" packet follows a different path then the "query" one. In this case the connection can not be established.
- New packets after TCP timeout. If there are no packets for 1 hour, the firewall removes the entry from the connection table. If any of the communicating side decides to send more packets, the firewall will drop them with an error "First Packet out of syn".

This can be solved in several ways:
- Just ignore it, if no issues noticed
- Increase the timeout for the service (SmartDashboard)
- Globally increase the TCP timeout for all TCP connections on the firewalls (SmartDashboard)
- Set the TCP heartbeat/keepalives to less than 3600 seconds on the communicating parties (Kernel)
- Configure the firewall to send RST to the parties, when the TCP timeout occurs (Kernel)

Which method to choose - depends on the application, for example, if it can recover from either connection reset or connection timeout.

After server reboot, I have seen multiple packets allowed to pass, then after sometimes (hours), the FW starts dropping packets again. 

Here we go. Exactly what I said above.