The pvac process (pvac is the WebAccelerator data plane daemon in 9.x and 10.x) will insert the X-Remote-Addr for traffic it processes. If pvac processing is bypassed- for example, when the system is under a lot of load and the request queue is full- then the chunk pvac code that writes the client IP address into the X-Remote-Addr header can be bypassed as well. Hence, you see 0.0.0.0 rather than the real client IP address.
You can use an iRule to change the X-Remote-Addr header's value to what it should be. Something like this:
when HTTP_REQUEST_SEND {
clientside {
if { [HTTP::header exists "X-Remote-Addr"] and [HTTP::header "X-Remote-Addr"] equals "0.0.0.0" } {
HTTP::header replace "X-Remote-Addr" [IP::client_addr]
}
}
}
Addressing the cause of the WebAccelerator bypass or enabling/using the X-Forwarded-For header are other options to do instead of/in addition to the iRule workaround above.
Nimbostratus