Symptoms
When SSL takes a dynamic bypass action (IP based bypass decision), the Per-Request Policy agents skip execution when necessary. That is, Category Lookup exits early due to no data because of the early bypass. The same check is not present in Response Analytics and URL Filter agents so that they don't take the error path due to not seeing Category Lookup data.
Impact
Category Lookup skips execution due to IP based bypass and thus Response Analytics and URL Filtering do not have the necessary data, so they take an internal error path. This will cause an RST.
Conditions
IP based bypass (in client SSL profile) with Response Analytics or URL Filtering in the Per-Request Policy.
Workaround
Do not add Response Analytics or URL Filtering agents to paths that you know will not have appropriate Category Lookup data due to bypass.
Fix Information
When the SSL level filter bypasses based on client data, Per-Request Policy agents will now be appropriately bypassed as well if there is not enough data to run on. They will take the fallback branches instead of sending a RST on error.
