If you are seeing DROP log entries with a rule of LogStateViolations, concerning a connection in SYN_SENT state, and the dropped packet is TCP with the ACK flag set, you can be fairly certain that you are witnessing the result of the RST cookie protection scheme.
AN RST Cookie is a weak form of SYN flood protection that works by eliciting a bogus TCP ACK in response to a TCP SYN and expecting a TCP RST back. In theory, this should prevent people from lying about their source IP address since the attacker would have to see the bogus ACK packet in order to be able to reply to it.