is it health monitor?
YES! This VIP is snatted and my tcpdump command mistakenly EXCLUDED the floating self-ip, leaving only monitor traffic in my trace. I just took another trace and verified the LTM only sends the list of 7 matching TLS ciphers in the
tmm --serverciphers 'DEFAULT:-TLSv1_1:-TLSv1_2'
output. This is what I expected. Thanks very much for setting me straight!
This leads me to another question...what makes the LTM decide to "decide" to use TLS on the serverside of the connection? Is that because the client on the clientside requested to use TLS (which it does), and it is required to maintain the same protocol on both sides?