Bummer, didn't work. Let me explain more of what we are doing and maybe someone can help me find out what it should be. When we take a lync call, our front ends send the call off to be recorded. We need that to be persistent, but we can't use the built in sip persistence because it is converted to RTAudio. Somehow we have to do a layer 4 offload inspection to get that hash. I guess it is possible I am using the wrong begining hash... is there a way to log what the F5 sees at that offset? If I remove the start pattern the call seems to go through without an issue, as soon as I add anything the call fails.