SSL Handshake error on vCloud Air configuring Pivotal Cloud Foundry

When installing PCF 1.3.2 on vCloud Air I ran into an “SSL Handshake error”
when attempting to access the Cloud Foundry Ops Mgr setup page.

Firefox reported the following error:

“The connection was Interrupted”
The connection was interrupted while the page was loading.
The site could be temporarily unavailable or too busy.
Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy,
make sure that Firefox is permitted to access the Web.

A quick test with openssl verfied the issue

$  openssl s_client  -connect
140694674667168:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
Protocol  : TLSv1
Cipher    : 0000
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1415297890
Timeout   : 7200 (sec)
Verify return code: 0 (ok)

Each vCloud Air Virtual Data Center includes two public ip addresses on the Gateway Appliance.
During setup for Pivotal Cloud Foundry,
NAT rules are configured to map one of the ips to the PCF Ops Manager
and the other ip to the gateway load balancer.

Apparently the two public ips are not equivalent.
If you encounter the ssl error above, change the Gateway NAT rules to reverse the ip mappings
so that the ip currently mapped to the router is mapped to Ops Manager.

For example:
Given two Gateway Ips of
Ops Manager on  and the
Gateway Load Balancer on

d2p3-ext DNAT       Any     Any TCP
d2p3-ext DNAT       Any   Any TCP

Change the Nat rules to

d2p3-ext DNAT       Any  Any TCP
d2p3-ext DNAT       Any    Any TCP