It's been turned off.. the tcpdump I sent them confirms it's the headers. I can configure varnish to compensate for the large headers, but question how it was coded.
if (req.url ~ "wp-(login|admin)|login" || req.url ~ "preview=true" || req.url ~ "xmlrpc.php") {
return (pass);
}