You should not worry about that one as in case of TCP, it's just connection establishment packet, and all further communucation is marked flawlessly.
Why does this happen? See, when that mentioned first packet of a new connection destined to your client arrives, it does not have source MAC address of your client (in fact, it should have a destination address of the client, but you know you cannot match the destination MAC addresses in firewall), so it is not matched by the connection-marking rule neither does it match the second rule that checks the connection mark. Those rules are only activated when the client replies. Please note that this flaw applies only on incomming connections, and that mean that if you are using masquerading for that client, this flaw does not apply to you as masquerading prevents incomming connections by definition.
International MikroTik Certified Trainer and Consultant form Latvia.
I do RouterOS Training and Certification worldwide!