Is the source address of the packet in source-address range in the policy rule?
Is the destination address of the final connection (that is, the host that the user specifies) in the destination address in the policy rule?
If the policy rule requires user authentication, did the user authenticate correctly? Is that user enabled?
Is this possibly-anonymous authenticated user included (either directly or by group membership) in the policy rule?
At present, there is no way for SunScreen High Availability systems to share proxy state. Proxies are not highly available.