You use the Firewall/VPN access method with Auth Connector (BCCA) for authentication. The connection between Auth Connector and Web Security Service (WSS) does not work correctly.
Auth Connector traffic might be routed through the WSS IPSec tunnel. Routed this way, the Auth Connector cannot properly talk with the authentication pods within the datacenters.
For the Firewall/VPN access method deployment, the Auth Connector must talk to the authentication IP addresses in each data center without going through the IPSec tunnel. It requires a direct connection over port 443. The following article provides the list of the authentication service IPs: Authentication IP Addresses by Data Center.
You must create a rule on the firewall that excludes the Auth Connector server traffic from the Web Security Service (WSS) IPSec tunnel.