Client's IP address is changed so they can not access website behind Big-IP F5 3600

SSL persistence is somewhat peculiar with most browsers. Back in the IE4 days, many browsers actually forced SSL renegotiated every few seconds. Modern browsers can (sometimes configurably) go for several minutes or hours between SSL renegotiations. In any case, when the browser (or server) initiates an SSL renegotiation, the SSL sessionid, the thing you're using for persistence, changes. This leaves you with a real dilemma, and one which generally begs the question "why not offload the SSL on the F5?" By offloading (and optionally re-encrypting) the SSL on the F5, you're performing SSL operations in hardware, which is 1) higher performance, and 2) generally more secure than doing it at the server. Plus you then have the benefit of iRules, optimization, acceleration, security, authentication, and most important in this case, robust persistence mechanisms.

But in any case, if you don't want to, or cannot offload the SSL at the F5, then you're basically limited to what the proxy can see, which is the SSL sessionid and the client's source address. You could technically define SSL sessionid as the primary and source as the secondary (fallback) persistence methods, and get a better result than what you're experiencing now, but it's not a 100% guaranteed solution.