So we upgraded to NTA 3.5 and I started adding "ip flow egress" on interfaces to take advantage of NTA's new ability to do egress flow accounting. In older IOS 12.4 mainline releases, there's a bug that breaks CBAC (aka IOS firewall) when you add "ip flow egress". The firewall doesn't create state correctly, and traffic that isn't explicitly allowed by the ingress ACL will be dropped. The Cisco bug ID is CSCsd17314 and it's fixed in 12.4(10) and later--I was running the most recent incremental release of a lower version on some routers, and it's still there. The options are to a) remove egress flow accounting, b) disable CEF, c) or upgrade.
Just something to look out for.