"First packet isn't SYN, TCP flags : FIN-ACK" drop log for RSH (remote shell) traffic sent from a Server
The Control connection is between Client to Server.
The Data connection, however, is created from Server to Client - i.e., in the opposite direction to the Control connection.
Since this is supported, Security Gateway should handle the Data connection in the "reverse" way.
SecureXL mismatches the direction that have been reversed in the Data connection.
Therefore, the reverse Data connection can not be found in the Connections table.
As a result, this reverse Data connection is treated a new TCP connection, which by design can not contain [FIN,ACK] flags.
This connection is dropped.