SharePoint SSL handshake good but TCP RST with no content

I'm using SharePoint 2013 iApps setup for SSL offload. Using Wireshark on a tcpdump from browsing to a FQDN shows the SSL handshake finishing and a single application data packet followed by a TCP RST.

 

The handshake is also validated using openssl s_client. After the handshake, I've tried a simple GET and a host specific GET (per the iApp monitor string). Both return errno=104. Fidder shows a raised exception 'Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host'. I believe both openssl and Fidder errors refer to the TCP RST.

 

An alternate IIS iApp is setup in the same Partition/VLAN/Route Domain. It uses non-SharePoint web servers but in the same subnet. It is browsed by the same web browser and succeeds. This VIP resolves to web server peers from the same client.

 

Is this typical of a SharePoint server with incorrect bindings or AAMs? Or, is there a network issue to debug? What is the best way to validate networking to SharePoint when bindings/AAMs are suspect?