Logs show the following lines:

HTTP/1.1 500 Internal Server Error
Authentication agent rejected request (context lost)

The following is an example of a log when this occurs:

No.     Time         Source                Destination           SrcPort DstPort Protocol Info
    516 21:52:43.403 10.10.10.10           10.10.200.200         57593   80      TCP      57593 > http [SYN]
    517 21:52:43.403 10.10.200.200         10.10.10.10           80      57593   TCP      http > 57593 [SYN, ACK]
    518 21:52:43.403 10.10.10.10           10.10.200.200         57593   80      TCP      57593 > http [ACK]
    522 21:52:43.404 10.10.10.10           10.10.200.200         57593   80      HTTP     GET /?cfru=xxxxx HTTP/1.1 , NTLMSSP_NEGOTIATE
    535 21:52:43.406 10.10.200.200         10.10.10.10           80      57593   HTTP     HTTP/1.1 401 Unauthorized  (text/html)
    538 21:52:43.408 10.10.10.10           10.10.200.200         57593   80      HTTP     GET /?cfru=xxxxx HTTP/1.1 , NTLMSSP_AUTH, User: DOMAIN\username
    552 21:52:43.420 10.10.200.200         10.10.10.10           80      57593   HTTP     HTTP/1.1 403 Forbidden  (text/html)
   2498 21:52:59.255 10.10.10.10           10.10.200.200         57593   80      HTTP     GET /?cfru=xxxxx HTTP/1.1 , NTLMSSP_NEGOTIATE
   2499 21:52:59.257 10.10.200.200         192.168.10.10         3373    514     Syslog   DAEMON.ALERT: Feb 25 21:52:59 ProxySG: 3B0003 Authentication agent rejected request (context lost).(40) SEVERE_ERROR pe_policy_action_auth_internal.cpp 653
   2500 21:52:59.257 10.10.200.200         10.10.10.10           80      57593   HTTP     HTTP/1.1 500 Internal Server Error  (text/html)

 

Workaround

To work around the issue, write policy to disable HTTP Client Persistence when there is a configuration_error exception:

<exception>
   exception.id=configuration_error http.client.persistence(no)