This is my last reply for the day. Anyone with an open ticket with Ubiquiti on this may want to see this dump. This time, I used each of the three IPs that are found in the CNAME to make sure I could capture it all.
16:03:21.720392 IP 70.16.74.83.65059 > 54.148.15.24.443: Flags [Start], seq 2769957917, win 14000, options [mss 1400], length 0
16:03:21.811445 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [Start.], seq 1229533962, ack 2769957918, win 62377, options [mss 1460], length 0
16:03:21.815302 IP 70.16.74.83.65059 > 54.148.15.24.443: Flags [.], ack 1, win 14000, length 0
16:03:21.817803 IP 70.16.74.83.65059 > 54.148.15.24.443: Flags [P.], seq 1:300, ack 1, win 14000, length 299
16:03:21.908175 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [.], ack 300, win 61978, length 0
16:03:21.909361 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [P.], seq 1:2801, ack 300, win 61978, length 2800
16:03:21.910392 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [P.], seq 2801:3446, ack 300, win 61978, length 645
16:03:21.916641 IP 70.16.74.83.65059 > 54.148.15.24.443: Flags [.], ack 2801, win 11200, length 0
16:03:21.933468 IP 70.16.74.83.65059 > 54.148.15.24.443: Flags [.], ack 3446, win 12578, length 0
16:03:24.307820 IP 70.16.74.83.65059 > 54.148.15.24.443: Flags [P.], seq 300:1233, ack 3446, win 14000, length 933
16:04:15.391818 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [.], ack 8988, win 56000, length 0
16:04:16.407725 IP 70.16.74.83.65059 > 54.148.15.24.443: Flags [P.], seq 8953:8988, ack 18139, win 13969, length 35
16:04:16.498064 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [.], ack 8988, win 56000, length 0
16:05:05.251058 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [P.], seq 18139:18170, ack 8988, win 56000, length 31
16:05:05.707843 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [P.], seq 18139:18170, ack 8988, win 56000, length 31
16:05:06.635979 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [P.], seq 18139:18170, ack 8988, win 56000, length 31
16:05:08.497099 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [P.], seq 18139:18170, ack 8988, win 56000, length 31
16:05:12.335760 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [P.], seq 18139:18170, ack 8988, win 56000, length 31
16:05:19.759938 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [P.], seq 18139:18170, ack 8988, win 56000, length 31
16:05:34.603838 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [P.], seq 18139:18170, ack 8988, win 56000, length 31
16:06:05.068000 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [P.], seq 18139:18170, ack 8988, win 56000, length 31
16:06:15.349415 IP 54.148.15.24.443 > 70.16.74.83.65059: Flags [FP.], seq 18170:18263, ack 8988, win 56000, length 93
The bolded lines are the ones Ubiquiti needs to explain. Maybe they will blame this on the TWC, but the USG and every other firewall I have kicking around doesn't seem to show this sequence. For the tcpdump-challenged, note that the first bolded line is a simple ACK packet, acknowledging packet # 8988. This could be a tcpdump buffering situation, (usually won't matter with TCP anyway) as the bolded line is acknowledging a packet it has yet to receive. The following line is the packet (from the TWC) that was just acknowledged. On that same (second bolded line) the TWC is also acknowledging the fourth bolded line packet. The actual FIRST packet from AWS for sequence 18139:18170 appears to have been lost.
The crazy thing is the TWC acks the 18139 sequence, but never sends the ack for 18170. My best guess on this is because the TWC believes it either hasn't received the 18170 packet, or that it feels it has already acknowledged it.
Those four bolded lines ARE the USG-Lite problem.
As for any other tests, yes, I did try scaling back MSS but it doesn't seem to have any effect on the outgoing packets AT ALL. I have not tried a DMZ. Not sure how to on Unifi and with only one LAN port, I can't imagine how it might get configured other than with VLANs. I also tried creating a pre-emptive firewall rule for 35.161.98.75, but I should probably try it again and build an IP group of those three IPs and apply the same "PASS THE PACKET, Damnit!" rule. Maybe I'll try that after I run some errands.
Then, the AWS server acknowledged the same packet, again. However, at that point, the UXG is massively confused and no longer will forward the packet with sequence 18139:18170