It looks like the DSS is continually forwarding the proxy request for the invalid user and each forwarded request is being handled as a new session. This eventually results in the forwarding request to fail and prevent subsequent authentication requests.
Have the proxy forward the access request to a different DSS. The access node containing the AD Password roll out policy would be assigned to the second DSS. So for the customer that would be:
Rollout Proxy (Primary)
The IP address on 'RollOut Proxy (Primary)' would need to be changed to point to the second DSS and port 2001 open between the two DSS.
A product defect has been submitted for this issue. It will be reviewed and a fix will be provided in the next release of the DSS component.