@irbk Go into the CLI and run a "list ltm virtual <virtual_server_name>" and similar commands can be run for each other the other configuration options. To see the other options under "list ltm" you should be able to use the question mark to narrow it down to other pieces of configuration.

Ok, I'm not really a linux guy but I'll do my best!

@irbk Based on the second virtual server configuration, I see that you are passing decrypted traffic to the servers on 443. Did you configure the servers to receive decrypted traffic on 443 because by default they should not allow that? Now SSL bridging is nice but not necessary and completely depends on your security stance and capabilities of the receiving pool members and if they can perform all application functions over HTTP and not HTTPS. If it's not required I would stick with SSL termination at the F5 and passing decrypted traffic to the servers.

No, that shouldn't be right.  The servers have to have encrypted traffic, they aren't configured to recive it otherwise.  What setting requres changing?

Actually, the servers arn't even going to be receiving on 443 in the end, this is just how I'm testing to get the certificate issue squared away but the servers do need to recieve encrypted traffic so either the BigIP needs to do a passthrough or we need to setup the SSL Bridging (which I believe is the prefered option for several reasons).

@irbk So I think we need to sort a few configuration options first.
1. SSL Termination on F5
    F5 terminations SSL using the SSL Client profile and then passes decrypted HTTPS traffic to the server on an alternate port such as 80 or 8080 so that you or the application can tell the difference between traffic that was HTTP traffic and which was HTTPS. So 443(F5) -> 8080(Pool member)
2. SSL Bridging
    F5 terminates SSL using the SSL Client profile, performs varios tasks now that the traffic is decrypted, then finally uses the SSL Server profile to encrypt traffic and pass it back to the pool member on 443 or an alternate port such as 8443.
3. SSL Passthrough
    F5 performs zero SSL tasks and passes the traffic directly to the server to decrypt and encrypt

If you are having an SSL issue it could be directly related to the server not being configured to receive that decrypted traffic since you are only using an SSL client profile or possibly an SSL cert on the server that is rejecting the requests.

End goal is clients will be using a client side application (not a webpage) to go to the F5, the F5 redirects them to the server, client talks with the server.  
How that client side application works is a little bit more tricky.  As far as I can tell, it starts out communicating on 80 and then flips to a different port using TLSv1.2.  The server is expecting it's traffic encrypted so SSL Passthrough or SSL Bridging is my only option and between the two, I guess the SSL Bridging is better because the F5 gets better visability to the traffic.

Looking at the tcpdump it is clear that your problem is that the serverside connection is in cleartext.

It is the job of a serverside ssl profile to make sure that is uses TLS on the connection towards the server (not matter the port number), so that seem to be missing.

Replied to my own reply so things ended up out of order, deleted this comment and added it to the above reply since I can't seem to just "delete" a reply.

Interesting, I was told by our implementer that a "SSL Profile (Server)" was not required.  I'm not quite sure what the proper way to setup the server ssl profile is?  I'm assuming it would match-ish (yea, I'm making up words) the client side?  So something like 

ltm profile server-ssl Modified_serverssl {
app-service none
cert WildCard24
defaults-from serverssl
key WildCard24
log-ssl-c3d-events debug
log-ssl-client-authentication-events debug
log-ssl-forward-proxy-events debug
log-ssl-handshake-events debug
options { no-tlsv1.3 no-dtlsv1.2 }
}

I added in an SSL Profile (server) and the wireshark seems to indicate that I get a good connection.

If I go to https://bigip.domain.com  I don't get a "site can't be reached" with "err_connection_reset" message, instead I get a "Not Found Http error 404" however if I go direct https://msnav01.domain.com  I get the IIS welcome page so I'd expect if the BigIP were working correctly, if I go to https://bigip.domain.com I should be seeing the IIS welcome page.

@irbk If you intend to reencrypt the traffic that the F5 decrypted and send it to 443 on the pool member you absolutely need an SSL server profile which can use the default profile of clientssl so that the F5 does SSL negotiation between it and the pool member just like the client did between itself and the F5. In regards to your 404 issue, this is most likely occurring because the page you are attempting to reach on 443 is not available. It seems like everything from this point forward is a server side issue rather than an F5 issue.

Currently the BigIP only has 1 pool member, msnav01.domain.com (I've disabled the other one for testing).   If I go direct https://msnav01.domain.com I get the IIS welcome page so I'd expect if the BigIP were working correctly, if I go to https://bigip.domain.com (which can only load balance to msnav01.domain.com) I should be seeing the IIS welcome page. 

@irbk To make sure I understand. The URL "https://msnav01.domain.com" points directly to the server and URL "https://bigip.domain.com" points to the F5 virtual server? If you are not seeing the IIS page when going to the bigip domain it's most likely that the server is not configured to respond to host "bigip.domain.com" but "msnav01.domain.com" which is why you are receiving the error. Try editing your hosts file to point "msnav01.domain.com" to the IP of the F5 virtual server and see if you are having the same issue. This still seems like a server issue because 404, unless otherwise configured, would only come from the server and not the F5. If you open of dev tools in your browser you can view the HTTP header field "Server" and it will most likely show some variation of "IIS" as the value rather than "BIGIP" which would imply you are making it to the server.

Well, this whole thing may have been a red herring.  @paulj Yes, your understanding correctly.  What I've just realized is that while going to https://msnav01.domain.com  brings up an IIS welcome page going to https://<ip  of msnav01> does NOT bring up an IIS welcome page <facepalm>.  Just to test, I found another server that DID bring up a page when you went to https://<test ip>  and created a new pool for the <test ip> and then adjusted my VS to use the new test IP pool and the thing worked.  So it seems like this whole thing was a failed assumption.  I should have verified that https://<ip  of msnav01> also brought up an IIS welcome page.