Identity collector is “eating” event viewer messages written in AD server.
Firewall is still required to check if the user is in the proper group or it’s disabled. Those checks are ldap traffic from firewall to DC.
Customer moved from clusterXL to VSX.
Normal firewall to ldap traffic pass on VS0. Here VS0 didn’t have access to DC. Only VS1 had access.
In order to solve this problem under VS config -> Other -> legacy configuration -> authentication server accessibility
Change the default from shared to private.
Credit goes to Kobi Kagan from israeli support team.
See attached screenshot