An adventure into the land of bizarro.
The web server is a Windows 2008 with IIS7. It sits in a DMZ with the usual NAT set up to translate internal/public IPs. There are 6 portal pages running here, all are SSL secured. If one tries to access on port 80, it is redirected to the public IP on port 443. Only ports 80 and 443 are open at the firewall. This has been in place and operating since 2008 was the 'new' thing from MSFT.
Today, half of the portals stopped responding. All the addresses will ping from inside the DMZ, and opening icmp on the firewall lets them ping from outside. I opened up wireshark on the host server to see what was going about, and as soon as I started the capture, everything began to work! Stop the capture, and the pages go down. start it back up and back in business again.
disabled MSFT firewall
turned off antivirus
Turned off Malwarebytes
double checked the bindings
double checked the SSL certs are still valid
Clearly this is something going on in Windows, but I am at a loss.