[jrdld]

You can get packet out of state if the system trying to open a connection doesn't get any reply to its initial SYN packet. FW-1 expects to see a SYN-ACK coming back from the destination before the source sends another SYN.

This implies that the packets are not getting back to the firewall from the destination. Maybe it's a routing problem on the destination host or an intervening gateway, or maybe the destination is not listening on port 135 (epmap).

JR