On a busy webserver, you have to be very careful that you don’t run out of connection tracking buckets.
Check how many you have set as your max:
Check how many you’re using:
wc -l /proc/net/ip_conntrack
A good maximum setting for most web servers with at least 2Gb RAM is 65536. Change the setting and lock it in (Redhat variants):
echo "net.ipv4.ip_conntrack_max = 65535" >> /etc/sysctl.conf