Customer is using Kerberos authentication in their setup. They have a Cisco ACE Load Balancer to distribute traffic to ProxySG/s. Client will get
page cannot be displayed or
Proxy resetting the connection for HTTP sites which are challenged by ProxySG for authentication. HTTPS sites is found to be working fine in this setup
The issue is identified to be due to the default maximum header size supported by Cisco ACE which is 4096 bytes. If the combined size of HTTP headers and the Kerberos ticket is going beyond 4096 bytes, ACE will RESET the packet. This packet will not be reaching the ProxySG.
Solution for this is to create an HTTP parameter map to support to a higher value and then assign it to the class in the service-policy. This information can be found at the discussion
Typical configuration will have the below
parameter-map type http HTTP
set header-maxparse-length 65535 set content-maxparse-length 65535