Hey Michael,
Given the fact that the TCP 3-way handshake is established, sounds like some Path MTU blackholing happening. Due to it happening during TLS handshake it's likely from the server towards you.
2a04:4e42::272 and 2a04:4e42:2f::272 belong to Fastly (AS54113) as they host a share of
images-na.ssl-images-amazon.com. Looking at a tcpdump, the first large packet in the flow is from the server. I have a full-sized native ipv6 connection so large packets are received:
00:10:28.921224 IP6 (flowlabel 0x4901f, hlim 54, next-header TCP (6) payload length: 1460) 2a04:4e42:2f::272.443 > 2600:1f18:2fe:904:4341:3edf:79e3:de1d.42114: Flags [.], cksum 0xc122 (correct), seq 1:1429, ack 518, win 131, options [nop,nop,TS val 3517605680 ecr 572934936], length 1428
Using
https://github.com/falling-sky/mtu1280d to emulate a smaller MTU, in response to the large packet (#1) we send back an icmpv6 packet too big response (#2), triggering Fastly to send smaller packets (#3):
00:11:22.179423 IP6 (flowlabel 0xa9776, hlim 53, next-header TCP (6) payload length: 1460) 2a04:4e42:2f::272.443 > 2600:1f18:2fe:904:4341:3edf:79e3:de1d.42116: Flags [.], cksum 0xc7f0 (correct), seq 1:1429, ack 518, win 131, options [nop,nop,TS val 3934482883 ecr 572988194], length 1428
00:11:22.179527 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 1240) 2600:1f18:2fe:904:4341:3edf:79e3:de1d > 2a04:4e42:2f::272: [icmp6 sum ok] ICMP6, packet too big, mtu 1280
00:11:22.180175 IP6 (flowlabel 0xa9776, hlim 53, next-header TCP (6) payload length: 1236) 2a04:4e42:2f::272.443 > 2600:1f18:2fe:904:4341:3edf:79e3:de1d.42116: Flags [.], cksum 0x8c51 (correct), seq 1:1205, ack 518, win 131, options [nop,nop,TS val 3934482884 ecr 572988196], length 1204
Either your system does not send back an ICMPv6 packet too big reply, or something drops it on the way and it never reaches Fastly. You should check your firewall settings in the path to ensure you don't block ICMP and ICMPv6 packets.
Regards,
Andras