Suricata

What is happening, is the following:
​1. a normal tcp session
2. a RST+ACK comes in - the reset packet is accepted. Instead of using the ACK value from this packet, Suricata auto-ACK's all data
3. a few more packets come in as the flow times out, these are not accepted as the session is now CLOSED (due to (2))
​4. the flow timeout triggers, and it sees that there is unprocessed data
5. the unprocessed data contains gaps. This is normal, as it was in-window, but not yet ACKd
6. the GAP event is raised and the counter is incremented

The behavior of a valid RST making all data inspectable in Suricata is long standing, although sadly not explained:
https://github.com/OISF/suricata/commit/1578ef1e3e8a24d0cc615430c4e6bec1fefdad28