see attachment.

It looks as if the connection tracking forgets a connection on the first FIN
and then all following packets are considered invalid?

Notice hos this applies to ACK,FIN from internal to websites outside..

Is this normal? I don't think so, as a FIN can be unilateral,
ie one side can close the connection (telling the other side:
No more data from me) but still be prepared to receive more
traffic from the other side. so tearing down the connection
just because one FIN was seen is bad, no?