A raw packet capture would be useful to look deeper. Actually 2. One of the IP in question and one of any other site. Both from the problem source network. I would wager one of these things is not like the other but I need the .cap files as there is not enough information in the screenshot. The output of ss -emoian as text and not a screenshot may also be useful to grab just after the connections are attempted to both destinations.
