As we did some more testing, it looks like pulse was fundamentally causing this. Pulse was always trying to do the housekeeping ( as these settings seem to be default enabled when pulse is installed)
Disabling all housekeeping on pulse on our webservices VM it looks to have stabilized.
We still get a log full of the rules being disabled, as being pointless, but we do need pulse for WOL and general power management.
We are going to setup a 4th for pulse only, but it seems overkill but it looks to be the best way to seperate any pulse related issues on affecting our webservices.
Root cause could be openssl getting overloaded by the pulse trying to do the housekeeping or some process or lib related to that process. tbh we havent dug deeper into this as it is weird that this isnt natively supported or setup correctly on install?