If it fails, it generally means it is not a valid variable. Ok, so do this.
On the Firepass, go to Device Management -> Maintenance -> Troubelshooting Tools -> Check the box labeled "Save user's session variables to logon report".
Check the user's logon session network ip variable. On the pre-logon sequence, copy the variable listed in the report to the session.network.client.ip == "0x0.x0x.xxx.000"
Make sure it is a one to one match. Then test the pre-logon.
Do not use a mask or any other variable. Use the exact IP address the user is coming in as.