How to understand causes of invalid state for an OUPUT SYNACK packet

[Jerome Barotin <jbn@s4e.fr>]

Hello,

I've got a specific device (industrial computer) where its
TCP connection are always blocked by netfilter when it tries to
connect to my server. 

Exactly the SYN packet is forwarded to my local process, but, the
SYN-ACK answer is always tagged as invalid by the conntrack
module, 

I noticed this behaviour in the following line in kern.log :

Jan 14 11:26:15 myhostname kernel: [260283.271861] nf_ct_proto_6:
invalid packet ignored in state SYN_RECV  IN= OUT= SRC=10.1.1.4
DST=10.1.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=21
DPT=64004 SEQ=1624381780 ACK=2190670817 WINDOW=64240 RES=0x00 ACK SYN
URGP=0 OPT (020405B40101040201030307) 

The corresponding pcap file can be found here :
https://filebin.net/yazmmekhrdiu4dh8/capture_not_work_ano.pcap

Also, I do not understand how this connection could be in SYN_RECV
conntrack state. This state means that SYN-ACK packet has already been
received and I'm sure that no such packet has already been submitted.

I  also checked with conntrack -L that there is no phantom states
before trying to establish a connection with the client.

It happens for a specific client, on each of
these connection, otherwise the traffic is working very well on the
machine for all the other clients. I tried different Linux
distribution (kernel version 5.13.0-20-generic or 5.4.0-96-generic), and
my packet is always tagged as invalid.

Do I miss something ? Anybody has got idea to help me understand (and
fix) this case ?

Jérôme