Hopefully someone has a comment or two on this. We've been battling this issue on and off for some years. Mostly when we experience the problem we migrate all running sites on the server to a new server running debian8 and ispconfig 3.1 and that resolves it, however occasionally such a migration is not easy. The issue is: Centos7 with standard perfect server ispconfig 3.0x (am assuming 3.1 has the same issue but have no way to easily verify since we are moving everything to debian) appears to have a strange issue with blocking connections through I am guessing the netfilter function of the kernel even if all firewalls appear to be disabled. This is not dependent upon iptables, firewalld, bastille or any other firewall function we have been able to find. Problem still occurs with no firewall record configured in ispconfig. The problem is only manifested when an external firewall or proxy is used in front of the server (for web traffic) when that external firewall/proxy is not on the LAN. If the firewall/proxy is on the local subnet there is no problem. We assume this is because the local subnet by default on Centos7 is whitelisted or in some sort of default trusted zone. Essentially what appears to occur is over time connections are blocked for one reason or another from the proxy/firewall directly on the server. We've had some sites experience DDOS attacks and encountered this issue when using an external web application firewall to alleviate. We've confirmed firewalld, iptables, bastille etc are all not running when this happens however we have confirmed it is a real issue. Stopping fail2ban also appears to have no effect. Interestingly we rarely saw this on Centos6 but stopping all firewall services would seem to alleviate the problem, but on Centos7 there is no effect. Our latest idea was to configure firewalld and set up permanent allow IPs (whitelisted IPs) to see if this fixes the problem. Wondering if anyone has ever experienced this or has any comments. Primarily we'd like to verify the source of the problem and how to alleviate it without having to add a local firewall/proxy in front of each server or being forced to migrate the server to resolve. Any input appreciated.