SSLv3, TLS1.0 and cipherstrings...

When a client sends a "Client Hello" message to the server, it sends a list of cipher suites that it supports. The idea is that one of those cipher suites is also supported by the server, and typically the strongest cipher suite is the one chosen for the TLS session. The client SSL profile lists the cipher suites that the BIG-IP (server) will support. For the TLS handshake, the server gets to decide what cipher suite will be used. So, in the case of a BIG-IP having a client SSL profile that has the "!SSLv3" added, this means that the BIG-IP will not offer any cipher suite that has SSLv3 in it. So, even if the client sends a list of cipher suites that include SSLv3, the server (BIG-IP) will not choose any of those because they won't match any of the server-side cipher suites. Instead, the server (BIG-IP) will negotiate a different cipher suite from the client.

Here's an article/video that might help as well: https://devcentral.f5.com/articles/whiteboard-wednesday-breaking-down-the-tls-handshake

Without seeing the Wireshark capture, it's hard to say exactly what's going on, but it could be something like this:

http-8443-14, READ: SSLv3 Handshake, length = 87 *** ClientHello, TLSv1

In this case, there is a record of type "Handshake Message" version SSLv3 and length 87 bytes (a typical record size). The contents of the Handshake Message show that this is a "Client Hello" and the client supports up to TLSv1.0.

It's possible that the BIG-IP sees the initial "SSLv3" part of the Handshake Message and rejects it based on the configuration of the SSL profile.

Here's some more info that might help: https://support.f5.com/csp/article/K15292

Also, for troubleshooting purposes, it might help to change the SSL logging level to "debug" so you can see exactly why the BIG-IP sent the handshake failure alert.