I am still working on the issues.
Thinking about this the "SNI" code is for a TCP header. This will not work for UDP connections. This means that for UDP/HTTP3 it back to one IP= one HTTPS web site = One VS. Thus anything with "SNI::" in a irule will fail on UDP. It would be nice if F5 coded a “do not use in udp” type of error or a way to flag an invalid answer when call SNI instead of getting a TCL error for an undefined variable.
Also nice if the allow SSL: calls in Irules when there no SSL profiles attached and have a SSL::active test (note SSL should also be renamed to TLS or HTTPS). But that another story
Also the way F5 get the "host" names in its SNI Irule fails as the header has no ":" in it. I suspect another difference between TCP and UDP HTTP. added a "if x contains : " but in the end the Irules is only for TCP. so a pointless change. Note this means there no easy way of telling is the connections is HTTP or HTTPS as HTTP::port also uses this value and defaults to 80 . Would need to check the TCP::local_port
I am also using VMware to run the F5. So i got the multi CPU issues so variables setting do get lost between different event call 😞 , I forgot this and thus could not work out why a "set" did not should up in the "server connect". Also reading the F5 Doc's, UDP "server connect" may! happen on the first UDP packet which is before any HTTP stuff fully arrives, Thus i think the event flow is different. I think i need to go back to basics and rebuild any irules from scratch. I still need to check if assigning pools stuff work in http events.
I don't think i can release the Irules and they also probably would not help. As they tuned to this environment
going to read k1624003 . may help with the one IP to one certificate setup.