WSSA is active even though going through a full tunnel VPN in which the egress IP address is coming from a known location and should be going passive

CTC failed (12175)
CTC: Using CL from file cache
CTC: using the connect list cached in memory

WSSA is trying to connect to ctc.threatpulse.com.  The request is being SSL intercepted and an unexpected certificate is being returned to WSSA.  This causes the request to CTC (cloud traffic controller) to fail.  Because the agent had successfully connected to the service previously, it uses that cached response to connect to the service and go active.

In order for WSSA to go passive, please disable SSL interception for any traffic destined to ctc.threatpulse.com.  This will cause CTC to get a proper response from CTC and go passive.

Error 12175 is a Microsoft error.  It has the following meaning:

ERROR_WINHTTP_SECURE_FAILURE

12175

One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server. To determine what type of error was encountered, check for a WINHTTP_CALLBACK_STATUS_SECURE_FAILURE notification in a status callback function. For more information, see WINHTTP_STATUS_CALLBACK.

Microsoft URL:  https://docs.microsoft.com/en-us/windows/win32/winhttp/error-messages