Hi,
yes, we have long suspected conntrack may drop some packets it should not have dropped in the first place, but there was never any proof for that.
Thanks to the logging enabled, we can now investigate on these - apparently, a decent amount of them are FIN-ACKs sent very late by the peer (especially observed in conjunction with Cloudflare and Akamai - perhaps they run their own customised network stack?). Having these logged is ugly, but not a thing to worry about.
At the moment, I would really like to release Core Update 164 with this logging enabled. We should get deeper into this issue, presumed it actually is an issue.
Thanks, and best regards,
Peter Müller