We are getting 409 null null errors on multiple A2A clients that used to work in the past. The clients use an external VIP to register with/connect to PAM.

Release : 4.0.2, but affects any PAM release

This is related to how PAM determines the source IP of a connecting A2A client using X-Forwarded-For headers, see KB 125564. When the connections came in through the external VIP, the header did not contain the A2A client IP, but a common network node IP. This caused many incoming connections to be associated with the wrong device, because it also had been registered with the same IP. A service restart on one node could overwrite the fingerprint of an existing A2A client entry, matched by IP, breaking a previously working client.

Make sure your X-Forwarded-For headers are set correctly to point back to the original Source IP, the A2A client node. If this cannot be controlled when using an external VIP, an alternative is to configure multiple specific PAM server addresses in the A2A client configuration file, see documentation page Configure A2A Client Failover in a Multisite Cluster. If you have the problem already, please raise a case with PAM Support to get it addressed.