We work with an organization coming in from an AWS EC2 instance trying to connect to an API we have onsite that's behind our Firepower FTD 2130 (7.4.2.1, managed by FMC) firewalls (there is an external/public NAT'd IP address it hits first, but that seems to translate fine since it's upstream and hits our FW with the internal destination IP).  They are complaining that they're getting timeouts and can't complete the API connection (to TCP/443).  When reviewing the logs, there are several connections from that same source to the same destination and port that are successful since we have an explicit policy permitting that traffic, but at the same time, we're seeing the following Deny message in between:

Deny TCP (no connection) from <AWS-IP/Port> to <Local-DST-IP/443> flags ACK on interface <OutsideInterfaceName>

And the log before it with the same exact time stamp:

Built inbound TCP connection 528346990 for <OutsideInterfaceName:<AWS-IP/Port> (<AWS-IP/Port>) to <InsideInterfaceName>:<Local-DST-IP>/443 (Local-DST-IP>/443)

There seems to be something going on or a unique attempt at connection between EC2 instances in AWS and this API.  Other sources can connect to the API.  Can someone explain what is happening and how this could be corrected?  I'm under the impression that it is something on their end (this has been seen before, but a while back and with different people - I'm not sure what the fix was), but even if that is the case, I'd like to  be able to recommend a fix for them now.  Thanks.