I am even more concerned about the lack of a space character after
"CONNECT". What is your custom logformat definition?
If the problem applies to all denied transactions, then you can probably
tell whether this is v5 or master/v6 problem by sending a manual
to-be-denied request to one or both of the Squid instances in question
and looking for your client address/timestamp in the access log.
Long-term, if you are going to continue mixing access records from
different Squid instances, then I would recommend adding a instance (and
worker) IDs to each access log record.
FWIW, I cannot reproduce this problem using a maser/v6-based branch with
default logformat and CONNECT requests to banned ports, but perhaps the
problem is specific to some CONNECT transactions or some listening port