ipfilter keep state problem

Hi,

I am having a problem with the keep state rule with ipfilter 4.1.13 .
The problem is on
AIX 5.3

I get this when trying to ssh
ssh: connect to host <servername> port 22: The file access permissions
do not allow the specified action.

The outputs of :
#ipmon
01/01/1970 13:00:00.000000 en0 @0:2 b 9.184.115.230,44239 ->
9.124.101.217,22 PR tcp len 20 44 -S K-S OUT


# ipfstat -nio
@1 pass out all
@2 pass out log proto tcp from any to any port = ssh flags S/FSRPAU
keep state
@1 pass in all


# ipf -T list | grep fr_statemax
fr_statemax min 0x1 max 0x7fffffff current 200

(0) root @ aixtcp02: 5.3.0.0: /


The problem is I get this error everytime I call ssh to <servername>

Found that the state table is filled up . And I get the same error for
quite some time probably for 1 hr.
But should it get cleared automatically , when states
with dying connections can be freed and new states setup.

I saw this can happen when :
"fr_slowtimer" calls "fr_timeoutstate" and it calls
"fr_state_flush"

But I never seem to hit fr_slowtimer.

1. Is it a known problem and if it is is there a fix for it .
Actually I took what I understand to be a fix from 4.1.15 but that did
not work out
so not sure if there is a fix for my problem.

2. Is there any automatic flushing of dead or dying connections ,
which we can add in
fr_addstate() when the states are filled up .
I see fr_state_doflush is set , but for it to work fr_timeoutstate
needs to be called , but it never is
atleast in AIX .

Is it default behaviour in other implementations?

3. In such a case of when states have been filled up , is there any
packet loss
before some flushing happens on other implementations ?

Manish