When AT&T was providing cable Internet to me, there was a time when my IPSEC VPN did not work. The VPN apparently connected, but data traffic never made it though. Other people complained, but AT&T claimed they were doing nothing to VPNs. Using tcpdump at both ends, I could see that the media (udp/500) was not getting though while the AH and ESP packets (required to set up the connection) were getting though. Clearly AT&T was blocking VPNs, but in such a way that it would not be obvious to the average user what was wrong. Pure evil.
Or they blocked everything unless they knew it was needed. Possibly only at one (or a few points) in their network.
e.g. they only let IP protocols 1, 6 & 17 through because someone didn't realise the other 253 were perfectly valid. Even though many which are assigned are, in practice, hardly ever used.