What causes mismatching states in connections?

senseivita

I'm trying to fix my email. I reinstalled a firewall but since then I'm unable to make it work again.

In pfTop I get mismatched SYN_SENT:ESTABLISHED/ESTABLISHED:SYN_SENT states, unless I log in to the remote firewall, from where I can use telnet to test successfully. The only difference is that the connection instead of being natted, originates right at the other end of the tunnels. Speaking of tunnels, plural; this is an ECMP link/route between the firewalls (FRR/OSPF), thus I thought it could be routing but I ruled out everything already. I even scavenged the live config file for lingering conflicting settings from the protocol switching (directly addressable WireGuard interfaces keep around that data even though they no longer show it when flipped to OpenVPN or another thing)

I moved then to MTU/MSS, but I already found the perfect value for each of the overheads OpenVPN, GRE6 over GIF, and WireGuard has, played with them at the interface-, protocol-, and system level (System/Advanced/Firewall & NAT), so either I haven't actually found the value(s) or that ain't it.

Any ideas what could it be?
Thanks.