By default, the Deep Security Manager's SSL certificate key would be installed on an environment with both Deep Security Manager and Deep Security Relay. The SSL certificate key is used for the incoming traffic SSL payload inspection while the IPS feature is not yet enabled.

Once the security policy with IPS feature is activated and applied to the target Deep Security Relay, the network filter driver will force reset the existing SSL connection in order to start an SSL inspection from a new incoming connection.

The process will reflect on the system event ID 352 Policy Updated:

When the update was performed, the following changes were made:    Web Reputation changed from "Inherited" to "On".  Intrusion Prevention changed from "Inherited" to "Prevent".     After updating, the target had the following properties:    Name: Deep Security Manager  Parent Policy: Deep Security  Description: A base policy for use on a server hosting the Deep Security Manager.     Important: After applying this Policy to your Deep Security Manager's Host,  you must restart the existing browser sessions to the Deep Security Manager.  This is because the Policy applies a new SSL configuration to the Host.  If you do not restart your session, your connection may be lost and  multiple "Renewal Error" Intrusion Prevention Events will be generated by the Agent.

As a workaround, close the whole browser, not just the tab, and re-open it again. The browser will sucessfully connect to Deep Security Manager.