ALB TLS Extensions?

A customer (on basic support) is connecting to an ALB over HTTPS from an internal network and is getting TCP RSTs from the ALB after sending the ClientHello for the TLS handshake. Clients outside of this particular network, are able to connect to the ALB over HTTPS with no problem.

After comparing the ssldumps, we noticed the ClientHello from inside the network includes several TLS extensions whereas the ClientHello from outside the network includes no TLS extensions. The TLS extensions included in the ClientHellow are: ec_point_formats, supported_groups, SessionTicket, signature_algorithms, and heartbeat. See the ssldump below.

Separately, the customer noticed a spike in ClientTLSNegotiationErrorCount during testing so I have asked the customer to enable Access Logs for ALB to see if the server-side logs provide any insight.

Does ALB support TLS extensions? If so, which extensions are supported? If not, why?

ClientHello:

New TCP connection #1: X.X.X.X(57358) <-> Y.Y.Y.Y(443)
1 1  0.0821 (0.0821)  C>SV3.1(272)  Handshake
      ClientHello
        Version 3.3 
        random[32]=
          ee 55 dd 17 41 98 37 d8 d5 75 04 64 ed 5f 25 31 
          70 6a f8 12 7d c6 52 96 af 7c 33 7e e6 ea 0b f6 
        cipher suites
          (withheld to preserve space)
        compression methods
                  NULL
        extensions
          ec_point_formats
          supported_groups
          SessionTicket
          signature_algorithms
            signature_algorithms[30]=
              06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 
              04 03 03 01 03 02 03 03 02 01 02 02 02 03 
          heartbeat
1    0.1657 (0.0835)  S>C  TCP RST