[willmac]

Do you mean "first packet isn't SYN"?
This normally means that the firewall is doing it's job - the fiirewall is expecting a syn and getiing an ack.
There maybe some timeout issues on the application passing through - or keepalives not working.
Or there may be some asynchronous routing issue where the packet is coming in through a different path and you are seeing only the ack back.

Has this ever been working?
If so then it is most likely due to an application/server change or a routing change.

The firewall should be fine and I would go so far as to say doing anything on the firewall to permit out of state traffic is a bad idea and hides other issues.