Strange connection issue with gitlab.io subdomains

For Tor Browser (both 12.5.4 and 13.0a4) on Debian, gitlab.io subdomains fail to load on the first connection, but work on subsequent connections. The TLS handshake appears to fail on the first connection. There are, however, rare exceptions in which the connection does work on the first try.

I have provided more details in this forum post. There's also a reply by PieroV in which he lays out a hypothesis for why this is happening. This problem does not occur on Windows and Android.

The mystery is: why does it only happen on gitlab.io subdomains and why only for the GNU/Linux version of Tor Browser? Is it a purely local problem in TBB’s code, or can GitLab’s firewall tell that the first and second visits were made within the same browsing session? If so, how? What gives it away? It has to be a TCP or TLS-level thing, as HTTP isn't used in the first connection attempt.

Also, Tor Browser has the same JA3 fingerprint on both Linux and Android, their TLS configurations seem to be identical. So if it’s some kind of firewall issue on GitLab’s end, why doesn’t it block them both? How does it tell them apart? And how does it tell the first and second visits apart?

Example links to test with:

• https://charts.gitlab.io/
• https://sigvids.gitlab.io/
• https://wolfree.gitlab.io/
• https://tpoforks.gitlab.io/tor-browser-manual/
• https://oniondocs.gitlab.io/tbmanual/

I want to underscore that there are two parts to this issue:

1. Explaining why this happens (important).
2. Stopping it from happening (less important).

There's also a third, UI-related problem connected to this, I've created a separate issue for it: #42108 (closed).