Hi,
just to resolve this thread, we found the reason for the problem. It
occurs, when we try sending out packets to a customer, which look
identical to netfilter, at roughly the same time. Those could be for
example forked calls to two extensions registered on the same device
(a FRITZ Box for example). Then netfilter tries to insert the same
packet into its conntrack table twice, causing a collision, leading to
a rejection of one of the packets.
We played around with different kernels, without success. The errors
kept on coming as long as the nf_conntrack module was loaded, even if
there was no iptables rule using it.
The only solution right now seems to be a stateless firewall and
unloading the module.
Best Regards,
Sebastian