If I recall, there's an actual mechanical reason why the F5 minimally requires an RSA cert/key, but I don't remember the details.
In any case, it's reasonably straightforward to work around this:
- Define your EC cert/key in the client SSL profile
- Also define a generic RSA cert/key (the built-in Default will do)
- Modify the Ciphers list so that only ECDHE_ECDSA is allowed (ex. ECDHE_ECDSA)
The F5 will choose the server certificate to present based on the handshake algorithm selected, so in this case you must force it to use ECDSA. And since you're only allowing ECDSA based on the cipher string, only the EC cert/key will ever be used (and any client that doesn't support ECDSA will naturally fail).