What is the purpose of decrypting and re-encrypting across multiple devices if you want end-to-end SSL? Are you performing some functions on the F5s that require access to the unencrypted data?
I'll assume for the moment that you're doing something with the unencrypted data (maybe inserting HTTP persistence cookies or adding WAF inspection services). In this case you have THREE separate SSL sessions: client to external F5, external F5 to internal F5, and internal F5 to server. The client to external F5 configuration is pretty straight forward. But understand that when the BIG-IP re-encrypts, via server SSL profile, it is the CLIENT in that SSL session. So in the case of the interior SSL session, the external F5's server SSL profile doesn't really need a certificate and key applied, as that would be treated like a client certificate and key and only needed if the server side required mutual authentication (which I'm assuming you're not doing). Your best option here is probably to use the default server SSL profile on the external and default client SSL profile on the internal. If you need additional security in this channel (probably not), then make sure you modify both profiles accordingly. As for the internal-to-server SSL session, again the BIG-IP is the client in this case, so the insecure-compatible server SSL profile is only needed if the server explicitly requires it. For the most part, the insecure-compatible profile disables strict secure renegotiation and slightly modifies the available ciphers.
You can tell if a server is capable of RFC5746 Secure Renegotiation by issuing an openssl s_client command to it form another system.
openssl s_client -connect 192.168.1.1:443
It'll list this setting in the output. Example:
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
...
Other than that, if you're still having issues, I'd inspect the SSL handshakes at each of these three places and look for errors.
ssldump -AdnN -i <0.0 for all interfaces or a single VLAN/interface name> port