What's your cipher string?
The client suggests the cipher list, but the server chooses (according to the order of your cipher string).
This page has great information about the cipher strings:
https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
User agent could possibly be taken with a grain of salt too as it could be easily faked. Have you checked if a majority of the clients comes from the same IP? Could be a scraper posing as FF.
Best way to really check it out could be to install the same version of FF yourself and check out the cipher negotiation. :)
/Patrik