DTLS VPN doesn't work when SSL profile not default clientssl
I have setup a very basic SSL vpn with APM and I would like to use DTLS to get best performance. The APM policy just checks for AV and authenticates with AD for the time being, I plan to add 2f later.
When I first tested the VPN, I left the default clientssl profile on the VS and just accepted the certificate warnings. It connects fine and I can see in the BigIP client that the protocol in use is DTLS.
If I change the SSL profile so that it uses a certificate issued by our domain PKI or even a proper EV sha256 cert it will only establish a TLS 1.2 and DTLS does not work.
I can't see anything in the log files to say why this isn't working. I know the firewall is correctly configured as DTLS works fine with the self signed certificate.
At the moment I am stuck as the performance of the VPN is nowhere near as good as Cisco AnyConnect over the same link.
Its a 2000s BIG-IP 12.0.0 Build 1.0.628 Hotfix HF1.