How frequent is the keepalive? The default timeout for a connection with no traffic is one hour, so if the keepalive interval is longer than that, yes, you will see this behavior.
More generally, "First packet isn't SYN" drops for packets with only the ACK flag set are almost always one of two things
- Really primitive firewalls (e.g, PIX) are sometimes set up to just allow any packet with ACK set with the expectation the endpoints will handle verifying TCP state. It could conceivably be an attack or scan trying to bypass such a firewall.
- The traffic could be a legitimate reply to a connection which was valid at one time, but which has been removed from the connections table.
The second case is pretty easy to prove, and it turns the question into "Why was this connection removed from the connections table?", which is easy to answer. Connections are removed from the table in three ways:
- When manually deleted (e.g, 'fw tab -t connections -x')
- When the endpoints close it (either via RST or FIN)
- After the connection's timeout (this can be the default timeout for the protocol, it can be set per-service-object, and it can be adjusted by Aggressive Aging if the firewall is under load)
So one of those three things is happening. A long-running packet capture filtered for those endpoints should tell you which one.