ERR_SPDY_PROTOCOL_ERROR when enabling SPDY

Hi !

I use BIG-IP 11.6.0 and try to enable SPDY. I have a VS with an Access Policy that uses an 'External Logon Page' action.

My config:

ifile with a custom login page

VS with:

• No Client SSL profile
• An AP that starts with an 'External Logon Page' action with a Server URI '/login'
• A pool select irule used to direct traffic to the login ifile

:

switch -regexp -- [string tolower [HTTP::path]] {
    "^/login(/|$)" {
    HTTP::respond 200 content [ifile get login-form] ...
    }
    ... (pool selects for actual services) ...
}

• In front of this VS I have another VS. It has a Client SSL profile

Without SPDY

When I don't have SPDY enabled on my front VS everything works:

• /myservice 302 ->
• /my.policy 200 OK (APM will initiate a POST to the external logon page, /login)
• /login 200 OK. (/login is an iFile)
• user enters credentials (/login POST's these to /my.policy) ->
• /my.policy 302 ->
• /myservice (and I'm logged in)

With SPDY

When I enable SPDY on the front VS, things break:

• /myservice 302 ->
• /my.policy 200 OK (APM will initiate a POST to the external logon page, /login)

• /login ( This request is made, but bad/no response is received by the client)

• Chrome shows 'not available, ERR_SPDY_PROTOCOL_ERROR'. dev tool shows 'CAUTION: Provisional headers are shown' in place of request headers. No reponse headers are shown

• FF shows 'Secure Connection Failed'
• IE works

In the ltm log I can see:

• the AP in the inner VS has started
• the /login ifile has been served
• the outer VS has fired a HTTP_RESPONSE event

• There are no log entries in apm or ltm other than those i make myself

• if I go directly to the custom login page (i.e. https://mysite.no/login) I get the same error.

• If I repeat the request for the custom login page, it works (!)

I make no other change than enabling SPDY. If I disable SPDY again everything works normally.

Any tips on how to figure out this issue? I find nothing in the BIG-IP logs, error messages from the browsers are very generic, and since SPDY only works over HTTPS listening in on the traffic is difficult.