Sorry for the confusion. You're not persisting based on the SSL session ID, but you're using it to verify sessions.
I wouldn't suggest using destination address persistence for a standard (non network) virtual server. The destination address for all requests will be the same so all client requests would be persisted to the same node. Try changing to source address persistence or cookie persistence. For more info on persistence options check the LTM config guide for your version on AskF5.
[EDIT: you can view the persistence records from the command line using 'b persist show all' or in the GUI under Overview >> Statistics >> Persistence Records]
And actually, it looks like you're adding the session information with a timeout of 180 seconds. I missed that when I first looked at your rule.
If you extend the timeout from 180 to something longer, do you still encounter the failure?
If so, try adding logging to your rule to see what's happening:
when CLIENTSSL_CLIENTCERT {
set ssl_cert [SSL::cert 0]
log "client [IP::client_addr] - \$ssl_cert: $ssl_cert"
session add ssl [SSL::sessionid] $ssl_cert 3600
}
when HTTP_REQUEST {
set client_cert [session lookup ssl [SSL::sessionid]]
log "client [IP::client_addr] - \$client_cert: $client_cert, [X509::whole $client_cert]"
HTTP::header replace SSLCertificate [X509::whole $client_cert]
}
Aaron