@TerryBurton That's a very valid point (hence you got my upvote), but another way is to implement the SYN proxy in the stateful firewall itself. Then you need no separate SYN proxy middlebox, as the firewall itself has the SYN proxy.

Related: paulroberts69.wordpress.com/2011/10/27/… and tools.ietf.org/html/draft-ietf-dhc-failover-12 -- it seems it's not an RFC but rather an Internet draft.

No, I haven't tried it yet. Not sure if production network is the proper location for such a trial... On a trial network, such as Linux containers / network namespaces, it could be tried with little difficulty. Perhaps I'll do that.