• Packets get dropped intermittently by the Gateway Firewall on the T1. Identical flow same SRC & DST
• When the command get firewall <interface UUID>  interface stats is executed a few seconds apart, you can see the drop counters increasing and flow caches missing
• Traceflow is going to indicate that the T1 Gateway Firewall drops the packet at T1 Uplink with the default Rule Allow Any-Any
  
  

Some Firewall/NAT sessions remain in the session table post expiry of the session timer and become Zombie sessions.

1. If there is a new flow with the same 5 tuple traffic (Src/Dst IP, Src/Dst Port, Protocol) the edge firewall/NAT logic will drop this packet.
2. In the fixed versions of NSX-T, the code prevents the creation of the Firewall/NAT Zombie sessions and provides a CLI enhancement to debug the issue.

The resolution for this issue is to upgrade the environment to 3.1.3 or later.

Workaround:
As a workaround, add a stateless firewall rule on top of the existing rule.  This will not maintain any connection state and thus cannot have the Failed expected state problem.