Hi Steve,
What version are you running? There is an issue in versions prior to 9.4.x where you can't get the value for anything but the first header when the request or response has multiple headers with the same name.
http://devcentral.f5.com/wiki/default.aspx/iRules/http__header (
Click here)
HTTP::header values
* Returns value(s) of the HTTP header named . Note that the command will return the values all of the headers if there are multiple headers with the same name. If there is a single value for the HTTP header, that value will be returned.
* (This subcommand was added in v9.4.0)
HTTP::header names
* Returns a list of all the headers present in the request or response.
* In v9.4.0 and higher, multiple headers with the same name will be listed multiple times.
So if you're running 9.4.0 or higher, you could use:
when HTTP_REQUEST {
log local0. "X-Forwarded-For: [HTTP::header values {X-Forwarded-For}]"
}
Another thing to try would be to verify that the XFF header with the original client IP is actually in the request coming from the proxy server. You could run a tcpdump to check this:
tcpdump -ni 0.0 -Xs0 host PROXY_SERVER_IP
Aaron