HTTP::connect causing RST

i do see X-forwarded-for header in my lab. configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:8080 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 3 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 172.28.24.1:3128 { address 172.28.24.1 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]" HTTP::header insert X-forwarded-for [IP::client_addr] if { [HTTP::method] equals "CONNECT" } { HTTP::disable } } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]" } } log [root@ve11a:Active:In Sync] config tail /var/log/ltm Nov 4 09:38:17 ve11a notice tmm[14741]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:38756 Nov 4 09:38:17 ve11a notice tmm1[14741]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:38756 Nov 4 09:38:24 ve11a info tmm1[14741]: Rule /Common/qux : 192.168.207.28:58515 Nov 4 09:38:24 ve11a info tmm[14741]: Rule /Common/qux : 192.168.207.28:58516 Nov 4 09:38:27 ve11a notice tmm[14741]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:38756 Nov 4 09:38:27 ve11a notice tmm1[14741]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:38756 trace [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 8080 or port 3128 New TCP connection 1: 192.168.207.28(58515) <-> 172.28.24.10(8080) 1415122704.4962 (0.0047) C>S --------------------------------------------------------------- CONNECT www.google.com.sg:443 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; .NET4.0E) Proxy-Connection: Keep-Alive Content-Length: 0 Host: www.google.com.sg Pragma: no-cache --------------------------------------------------------------- New TCP connection 2: 172.28.24.14(58515) <-> 172.28.24.1(3128) 1415122704.4976 (0.0012) C>S --------------------------------------------------------------- CONNECT www.google.com.sg:443 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; .NET4.0E) Proxy-Connection: Keep-Alive Content-Length: 0 Host: www.google.com.sg Pragma: no-cache X-forwarded-for: 192.168.207.28 --------------------------------------------------------------- by the way, i do not see you requested engineering hotfix in C1687799. if i am not wrong, there are existing engineering hotfix on top of 11.4.1 hf3 and 11.4.1 hf4. you may check with support engineer. it may be faster than troubleshooting (X-forwarded-for).