We migrated a traditionnal cluster to a Maestro infra last weekend. R81.10 T81
Everything worked as expected but after a while some IA Rule stop matching on one of the member. Identity is acquired via Identity Agent. Users connect to PDP which is the Security Group running in Maestro
In the logs the same trafic is accepter on Member 1_2 but dropped on Member 1_1.
"pdp monitor ip x.x.x.x" returns the correct Roles on both members but rules is not matched. If we change source by IP everything is ok.
I know that Seucurity Group are not the best way to do PDP but in this sutuation we don't have other GW to play taht role. Also it's never metionned that it's not supported (only not recommended in the Maesto limitations SK)
Do you have any idea of what could be the cause ? Any similar problem on your side ?
TAC is already involved but has not provided relevant info right now.