X-Forwarded-For and SNAT addresses

It's definitely safe to say that the XFF header should hold the client's true source. What happens if you log it?

when HTTP_REQUEST {
    log local0. "client IP is [IP::client_addr]"
    HTTP::header replace X-Forwarded-For [IP::client_addr]
}

Any chance that you're logging configuration is not correctly picking up the XFF header? Can you do a tcpdump server side capture to see exactly what is coming from the BIG-IP?

I say this because the user in question had one of those lovely debug scripts in place that just echoes back the full query along with each and every header passed, which is why I noticed it. However, something else just caught my eye... you posted IP::client_addr instead of IP::remote_addr (like the iRule has). Is perhaps IP::client_addr what we should be using instead of IP::remote_addr as shown at http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html ?

IP::remote_addr is contextual, meaning it returns a different value depending on which side of the proxy it's called from. In this case it should indeed be the client's address, but I prefer to use IP::client_addr as a more definitive option. If you add the log statement, what value do you get?