The page https://doc.ez.no/display/DEVELOPER/HTTP+Cache and all varnish vcl examples mention the FOS related user hash (38015b703d82206ebc01d17a39c727e5). There is only one line which mentiones that the user hash should be changed to the ez based one (b1731d46b0e7a375a5b024e950fdb8d49dd25af85a5c7dd5116ad2a18cda82cb) and people will easily skip that.
Up until ezplatform 1.6 this was not a issue but after this PR to FOS: https://github.com/FriendsOfSymfony/FOSHttpCacheBundle/commit/cad6b5d5b100cf794f6b17f33c229132d343c9e3 things got really bad. What happens is that hash comparison is forced when the code figures out that the user is not anonymous, in this case basically for all requests with a cookie.
In real use cases sites have cookies. The consequence is that all requests (except the ones with no cookies which is really rare) force user hash comparison. Projects which have the FOS related user hash in the VCL will always have different user hash and the backend will always send "no-cache" in the response. This will trigger varnish to create HitForPass object for a while basically saying not to cache that page.
I would suggest to revamp all docs and all vcl examples to include the ez default user hash to avoid such problems in the future. Of course, with a note that the user hash should be updated when anonoymous user policies are changed.
Another option would be to replace the AnonymousMatcher which will check only for eZSESSID cookies (session_name_prefix), not all cookies to determine is user anonymous or not.