This issue has been perplexing me for some time, and I am running out of ideas, so here goes:

I recently stood up an SA-4500 (6.5r6) in a remote office (India) as a point of ingress for local users to access local resources more quickly.

Ever since we have deployed this appliance in the field, I have gotten some very strange behavior out of it.

1.  I can ping and traceroute it by name and IP.

2.  nslookups resolve.

3.  http redirect works

https fails, but not across the board.  Half of our users get sign-in pages just fine.  The other half just time out.

Doing a packet trace from a failed client, I see the SSL client hello send out, but no SSL server hello return.  

I have run TCP dumps on the IVE, and I see server hellos attempting to go out, but It just retransmits as if it cannot reach the client.

The network setup is simple - a single router and switch comprise the edge (only one simple inbound access list that should not affect SSLVPN).  The IVE is plugged into the switch.  I removed the ACL just in case, and the same behavior occured.

I have adjusted the IVE for what TLS/SSL settings it accepts, and no change. 

I have flattened the box to a factory state (6.3r7), and put on a bare-bones config - no change.

I set up an https web server on a switch on the same network and tested.  All clients could connect to it.

Ideas?  Thanks in advance.