maybe you already opened a ticket for this since nobody was quick to answer, but... TLS_Unrecoverable-Error is generated if the TLS decryption fails and it always results in terminated connection.
In 5.8 and newer this may happen if application detection is enabled in following scenario:
if the SNI in SSL Client Hello does not trigger any TLS Match, decrypting is started i.e. the stream is modified. After that when server certificate is seen, all domains in cert are matched to get an application for the connection. Some CDNs include a huge number of domains in the certificate, if one of those triggers a TLS Match which denies decrypting the connection is terminated with TLS_Unrecoverable-Error because the stream was already modified. As decryption is no longer allowed the connection would anyway fail since the stream was already modified.
To work around that you can create a new TLS Match which denies decrypting for the trusted domain.