Browsers display ERR_HTTP2_Protocol_error when accessing specific high-traffic sites. In some cases, the error may shift to "Site can't be reached" after repeated attempts.

The policy trace shows an internal exception:
verdict: EXCEPTION(internal_error): The request URL is considered invalid. URL could not be parsed... failed because: Scheme was not delimited by '://'

• Edge SWG
• SSL Interception Enable

The issue is caused by a protocol mismatch or parsing failure within the Edge SWG's HTTP/2 engine during SSL Interception.

Parsing Mismatch: When SSL Interception is active, the proxy acts as an HTTP/2 gateway. If the proxy receives HTTP/2 binary frames but fails to correctly map the scheme pseudo-header to its internal policy engine, it throws a "Scheme not delimited" exception and sends a TCP Reset (RST).

TLS Version Downgrade: If the client requests TLS 1.3 but the proxy downgrades the upstream connection to TLS 1.2 while still negotiating h2 via ALPN, certain SGOS versions struggle to bridge the protocol frames between the two different encryption legs.

Upstream Blacklisting: Repeated TCP Resets generated by the proxy can lead the upstream web server or firewall to temporarily block the proxy's IP, changing the error from a "Protocol Error" to "Site can't be reached."

Method 1: Force Fallback to HTTP/1.1 
Forcing the proxy to use HTTP/1.1 for the problematic destination resolves the parsing conflict while maintaining full SSL Interception and security scanning.

1. Log into the Edge SWG CLI or VPM.

2. Apply the following CPL to the Local Policy:
<Proxy>
    url.domain=example.com http2.client.accept(no) http2.server.request(no)

Method 2: SSL Interception Bypass
If the site is trusted and does not require a packet inspection, bypassing decryption avoids the HTTP/2 parsing engine entirely.

1. In the Visual Policy Manager (VPM), go to the SSL Intercept Layer.

2. Create a new rule:

Destination: The affected URL/Domain.
Action: Disable SSL Interception.

3. Install Policy.