TLS handshakes may fail in a SSLV environment with an Active Inline Fail to Appliance Proxy Chain right topology.

Active Inline Fail to Appliance Proxy Chain right topology with a security stack.

Occasionally a device in the security stack may modify frames.  This can break the TLS handshake between the SSL Visibility and the destination server.  Security stacks should not modify traffic between the SSLv and the destination server.

TCP timestamps, defined in RFC 1323, are a 12-byte extension to the TCP header used for Round-Trip Time Measurement (RTTM) and Protection Against Wrapped Sequence Numbers (PAWS). PAWS prevents data corruption on high-speed networks by rejecting old, duplicated segments that arrive after sequence numbers have wrapped around, ensuring accurate packet ordering. 

PAWS can result in frames of the TLS handshake getting dropped.

To ensure that traffic is not getting dropped due to TCP timestamp PAWS you can do the following:

SSH in the SSLV appliance and enter the CLD (command line diagnostics) after enabling the box.

From the CLD cli enter the command:

counters netstack nonzero

In the output look for T_netstack_tcp_pawsdrop to see the count and to see if it is increasing.