iRule client auth header

Eventually the above set up works, but we get occassions (3-4 times per hour on less frequent traffic) when application breaks.

NORMAL SESSION (bottom to up order) - SSL handshake first followed by HTTP_REQUEST:
===================================================================================

Mon Dec 4 20:42:30 GMT 2017  info  xyz  tmm2[14307]     Rule /Common/irule-xyz : Third line ---- Session ID: 6bec8b8b1dd0fb69efaa0c4a48b409f9c7f3d59ccc2826557479aaa18fbaea18 Cert ID: 0‚0‚þ ��š0  *†H†÷  ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !xyz xyz.10Uxyz.xyz.com0‚"0  *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ô­àe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0† 
Mon Dec 4 20:42:30 GMT 2017  info  xyz  tmm2[14307]     Rule /Common/irule-xyz : SSL certificate found, inserting .x509 into HTTP request, cert verify result - ok  
Mon Dec 4 20:42:30 GMT 2017  info  xyz  tmm2[14307]     Rule /Common/irule-xyz : Second line ---- Session ID: 6bec8b8b1dd0fb69efaa0c4a48b409f9c7f3d59ccc2826557479aaa18fbaea18 Cert ID: 0‚0‚þ ��š0  *†H†÷  ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U   
Mon Dec 4 20:42:30 GMT 2017  info  xyz  tmm2[14307]     Rule /Common/irule-xyz : Session ID: 6bec8b8b1dd0fb69efaa0c4a48b409f9c7f3d59ccc2826557479aaa18fbaea18 Cert ID: 0‚0‚þ ��š0  *†H†÷  ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !xyz xyz.10Uxyz.xyz.com0‚"0  *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ô­àe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0†http://xyz.xyz.com/etn/etn.crt04  
Mon Dec 4 20:42:30 GMT 2017  info  xyz  tmm2[14307]     Rule /Common/irule-xyz : Cert verify result - ok  
Mon Dec 4 20:42:30 GMT 2017  info  xyz  tmm2[14307]     Rule /Common/irule-xyz : First line ---- Session ID: 6bec8b8b1dd0fb69efaa0c4a48b409f9c7f3d59ccc2826557479aaa18fbaea18 Cert ID: 0‚0‚þ ��š0  *†H†÷  ��010U0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !0U0‚"0  *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ô­àe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0†  

BROKEN SESSION:(bottom to up order) - it seems like renegotiation as HTTP_REQUEST happens first ?, then CLIENTSSL_CLIENTCERT event does not re-call another HTTP_REQUEST as is normal session):
============================================================================================================================================================================

Mon Dec 4 21:18:30 GMT 2017  info  xyz    tmm7[14307]     Rule /Common/irule-xyz : Session ID: 6bec8b8b1dd09d6aefaa0c4a48b40cf93e8a72763551dfe67479aaa18fbae2e8 Cert ID: 0‚0‚þ ��š0  *†H†÷  ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !xyz xyz.10Uxyz.xyz.com0‚"0  *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ô­àe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0†http://xyz.xyz.com/etn/etn.crt04  
Mon Dec 4 21:18:30 GMT 2017  info  xyz    tmm7[14307]     Rule /Common/irule-xyz : Cert verify result - ok  
Mon Dec 4 21:18:30 GMT 2017  info  xyz    tmm7[14307]     Rule /Common/irule-xyz : First line ---- Session ID: 6bec8b8b1dd09d6aefaa0c4a48b40cf93e8a72763551dfe67479aaa18fbae2e8 Cert ID: 0‚0‚þ ��š0  *†H†÷  ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !xyz xyz.10Uxyz.xyz.com0‚"0  *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ô­àe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0†http://xyz.xyz.c  
Mon Dec 4 21:18:30 GMT 2017  info  xyz    tmm7[14307]     Rule /Common/irule-xyz : Renegotiating session...  
Mon Dec 4 21:18:30 GMT 2017  info  xyz    tmm7[14307]     Rule /Common/irule-xyz : Cert verify result - ok  
Mon Dec 4 21:18:30 GMT 2017  info  xyz    tmm7[14307]     Rule /Common/irule-xyz : Second line ---- Session ID: 6bec8b8b1dd09d6defaa0c4a48b40cf93e8a72763551dfef7479aaa18fbae398 Cert ID: 0‚0‚þ ��š0  *†H†÷  ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !xyz xyz.10Uxyz.xyz.com0‚"0  *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ô­àe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0†http://xyz.xyz.com/etn/  

Any pointers would be appreciated.
Thanks

Looks like SSL check is failing during SSL reneg in phase2. By default SSL cache is maintained for an hour. I would have expected all SSL cert checks to occur within SSL event not under HTTP event. Please also check that oneconenct is enabled for VIP.

Thanks,

We have event failure sometimes in intervals of 20 minutes... On oneconnect side, this is to send post re-negotiation subsequent HTTP request to the same server? I meant to add pool consist on member only as this is test bed.