My bad! Looks like someone disabled tunnelling on one of the connection servers in the pair in between testing.
Just went back to double check the config and it works!
Thanks to all involved. Will reach out to F5 to see if they'll consider updating their iApp to reflect these changes - doesn't look like it's been updated in a while.
