I just came across this trace: https://app.packetsafari.com/analyze/l/7J3V34gB20YPC54rGWcD/none/none.
Packet 2 rejects a TCP SYN using an ICMP destination Port unreachable packet. I know these are used for UDP, but I always thought TCP RSTs were the only way to indicate that a TCP port is not open (besides not sending anything if a firewall is active).
I tried to reproduce the trace by accessing the mentioned IP, and I got this PCAP: https://app.packetsafari.com/analyze/l/NJ3b4YgB20YPC54rLmvP/none/none.
I tried to investigate if this is due to a middlebox or the server itself. This trace is not taken from the same client, but still... It seems that the TTL of the response from 52.203.48.25 is starting neither at 64 nor 128 but 255. I think this is uncommon but may also be an indicator that this is sent by the server itself. Another thing that caught my eye is the difference in the DSCP codepoint in the second packet of each trace.
Any ideas? Has anybody seen something like this before? From the first trace, it seems to me that the client is just ignoring the port unreachable and sending retransmissions. Maybe a misconfigured firewall?