> > It seems to me that ACL SRC is NEVER checked when going to a Peer. > > > > WHAT I WANT TO DO: > > acl OFFICE src 1.1.1.1 > > request_header_access User-Agent allow OFFICE > > request_header_access User-Agent deny all > > request-header_replace User-Agent BOGUS AGENT > > > > > > [OFFICE UA should not be modified whehter going direct or through a peer] > > > > Thanks, > > > > Jenny > > > > PS: Running 3.2.0.7 on production and works good and reliably. The UA issue above is present on both 3.2.0.1 and 3.2.0.7. > > > Okay, this is going to need a cache.log trace for "debug_options 28,9" > to see what is being tested where. No difference whatever is done. PEER1, !PEER1, !PEER2... No peer... Seperate lines... SRC IP is never available, so it always fails. PEER is available though, I can make it work with using just PEER1. Going direct works also as expected. Thanks. Jenny kid1| ACLChecklist::preCheck: 0x7ffff504abc0 checking 'request_header_access User-Agent allow OFFICE_IP !PEER1' kid1| ACLList::matches: checking OFFICE_IP kid1| ACL::checklistMatches: checking 'OFFICE_IP' kid1| aclIpAddrNetworkCompare: compare: [::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] ([::]) vs 2.2.2.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] kid1| aclIpMatchIp: '[::]' NOT found kid1| ACL::ChecklistMatches: result for 'OFFICE_IP' is 0 kid1| ACLList::matches: result is false kid1| aclmatchAclList: 0x7ffff504abc0 returning false (AND list entry failed to match)