How do you build an irule to drop connection (without completing the handshake)

If I'm not mistaken the client will query the DNS only once to obtain the A-record, regardless of success or failure of subsequent HTTP-requests based on the IP-address from the DNS query.

Where are the other IP-addresses hosted in relation to your LTM(s)?

Arie is right. Most DNS client implementations will only return a single IP address so they would only try the first address. If your second address managed by the same LTM or in the same datacenter, you might be better off changing your pool to use priority groups so your failover address (or destinations) are in the existing pool but only accessed if all others are down.

We are not using GTM nor we are using Managed DNS. We use multiple A records. When multiple A records are used the client obtains both IPs. In case of Windows, the client will start using the second IP when no SYN-ACK is received to the initial SYN request sent to the first IP. This was tested by blackholing some routes.

Have you tried putting a "reject" (or "drop") in the "CLIENT_ACCEPTED" event? That's probably the earliest in the event stack that you'd be able to do anything.

Unfortunately, at this time, there is no way to drop a connection before the handshake occurs. The earliest event in iRules is the CLIENT_ACCEPTED event, which occurs immediately after the handshake is completed, and a new client side connection has been established. There have been a few requests over the years for the ability to do what you're describing and drop things at the first packet based on certain criteria, but this isn't something that is currently implemented.

If this is something you're interested in pursuing, I'd recommend providing this feedback to your sales team so that they can add more weight to the previous requests for this functionality.

Of course, using more intelligent DNS handling would avoid this issue :)

There's an option on TCP profiles called 'Verified Accept' which could help though. Here's the snippet from the online help:

Specifies, when checked (enabled), that the system can actually communicate with the server before establishing a client connection. To determine this, the system sends the server a SYN before responding to the client's SYN with a SYN-ACK. When unchecked, the system accepts the client connection before selecting a server to talk to. This setting is not compatible with iRules. The default is unchecked (disabled).

Make sure you're running the latest hotfix for your version as there have been some recent fixes with this feature.

Another option would be to disable ARP for the entire virtual address if the pool is down. Here's another post on this:

https://devcentral.f5.com/questions/f5-vs-always-responding-to-ping