Maybe TCP goes to close state, when one node realizes tunnel is broken, to signal remote "start again"
Weird test: block udp443 with LAN_IN firewall rule.
Create LAN_IN firewall rule (or WAN_OUT)
default action=accept
rule1 drop udp destination=443
This seems like an anyconnect VPN, which can work without udp.
ERs have a history with out-of-order UDP packets.