Connections are dropped as Out-of-State after some idle time when SecureXL is enabled
Session Timeout for a service is set to a value greater than the maximal SecureXL timeout of 43200 seconds, and the connection was processed by SecureXL based on Template with PSL.
After period of PSL expiration, the PSL data is deleted because the connection was not notified to the Firewall.
Therefore, the next packet for this connection will be Forwarded to Kernel (F2F). Since no PSL data exists, the Firewall will drop this connection as Out-of-State because no notification was received for it.