diff --git a/lib/core/context.c b/lib/core/context.c
index 79987ff74..893bdfb21 100644
--- a/lib/core/context.c
+++ b/lib/core/context.c
@@ -214,12 +214,22 @@ lws_state_notify_protocol_init(struct lws_state_manager *mgr,
 	 */
 	if (target == LWS_SYSTATE_POLICY_VALID &&
 	    context->pss_policies && !context->policy_updated) {
+
+		if (context->hss_fetch_policy)
+			return 1;
+
+		lwsl_debug("%s: starting policy fetch\n", __func__);
 		/*
 		 * Start trying to acquire it if it's not already in progress
 		 * returns nonzero if we determine it's not needed
 		 */
 		if (!lws_ss_sys_fetch_policy(context))
-			return 1;
+			/* we have it */
+			return 0;
+
+		/* deny while we fetch it */
+
+		return 1;
 	}
 #endif
 #endif
diff --git a/lib/secure-streams/system/fetch-policy/fetch-policy.c b/lib/secure-streams/system/fetch-policy/fetch-policy.c
index b002c8d67..3dcd4d415 100644
--- a/lib/secure-streams/system/fetch-policy/fetch-policy.c
+++ b/lib/secure-streams/system/fetch-policy/fetch-policy.c
@@ -107,8 +107,16 @@ ss_fetch_policy_state(void *userobj, void *sh, lws_ss_constate_t state,
 	case LWSSSCS_CONNECTING:
 		break;
 
+	case LWSSSCS_QOS_ACK_REMOTE:
+		switch (m->partway) {
+		case 2:
+			lws_sul_schedule(context, 0, &m->sul, policy_set, 1);
+			break;
+		}
+		break;
+
 	case LWSSSCS_DISCONNECTED:
-		lwsl_info("%s: DISCONNECTED\n", __func__);
+		lwsl_notice("%s: DISCONNECTED\n", __func__);
 		switch (m->partway) {
 		case 1:
 			lws_ss_policy_parse_abandon(context);
@@ -154,10 +162,14 @@ lws_ss_sys_fetch_policy(struct lws_context *context)
 		 * running on a proxied client with no policy of its own,
 		 * it's OK.
 		 */
-		lwsl_info("%s: Create LWA auth ss failed (policy?)\n", __func__);
+		lwsl_info("%s: Policy fetch ss failed (stub policy?)\n", __func__);
 
-		return 1;
+		return 0;
 	}
 
-	return 0;
+	lwsl_info("%s: policy fetching ongoing\n", __func__);
+
+	/* fetching it is ongoing */
+
+	return 1;
 }