You have multiple SRX devices in an OSPF domain where link costs are causing asymmetric routing.
SRX is a stateful firewall which means that it will allow only traffic that matches an existing session. This means that the firewall needs to see both directions of a flow (client-server and server-client), otherwise these checks will block legitimate packets. In the scenario below we see that returning traffic is taking another path due to OSPF cost being preferred. When the other SRX device sees that returning traffic then it will try to find an existing flow and it will drop it.
Disable checking of the TCP SYN bit and sequence checking before creating a session. This disables those features globally.
set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check
After the above commands are deployed the SRX device will act more like a traditional router and allow traffic without checking for an existing session.
SRX is a stateful firewall and allows traffic which matches an existing session. Sessions are created when a TCP SYN packet is received and it is permitted by the security policy. This of course means that the firewall needs to see both directions of a flow (client-server and server-client), otherwise these checks will block legitimate packets.
When Junos OS with SYN flag checking enabled receives a non-SYN TCP segment that does not belong to an existing session, it drops the packet.
Disable checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If the bit is not set, the device drops the packet.