Anti DDOS enable syncookies causes timeouts for specific VPNs and Dilbert

[Frostbite8289]

I am running the latest production release as of 2022-01-04 i.e.  22.7.10_2.
I am trying to understand what OPNSense is doing with syncookies. They seem to appear both as a tunable under System -> Settings -> Tunables:
"net.inet.tcp.syncookies    Generate SYN cookies for outbound SYN-ACK packets " (which is 1 or on by default)
and under Firewall -> Settings -> Advanced
the Anti DDOS enable syncookies (which is never by default).

Can someone explain what the 2nd option is doing and how is it related to the 1st tunable? I do want Anti DDOS. The help is sparse and when I turn it on I get some very strange specific issues. To be clear other web traffic and VPNs work fine from the LAN out to the Internet ex. AnyConnect etc.

It is not clear to me how to use the adaptive option. When that 2nd option is set to always that is when the weird timeout problems appear but only for two very specific instances:
1. Palo Alto Global Protect VPN connections from LAN to Internet cannot connect. HTTPS connections from LAN to Palo Alto firewall get 6KB of a login 12KB page and timeout. The same connection works using curl directly on the OPNSense firewall.

2. Parts of the Dilbert web comic cannot complete loading.

Can anyone shed some light on this?