If the Symantec Management Agent is unable to connect to the Notification Server over LAN/internal network, it switches to CEM mode active connection which is expected

After switching back to the internal network or LAN, the agent stays in CEM mode active even if the SMA service is restarted or the machine is rebooted

The Cloud-enabled Management Settings policy was checked and 'Prefer CEM gateway connection' options are not checked/enabled:

If the CEM connected machine on LAN is removed from the CEM policy, it then switches to normal LAN/direct connection without issues

ITMS 8.7.3 and later

In this instance, the Internet Gateways were routable on the internal network and could be reached on LAN or internet. Internet gateways should only be externally facing. Meaning, SMA on a LAN connection shouldn't be able to reach the configured Internet Gateways in the DMZ.

The Symantec Management Agent always tries connecting to Notification Server, Package Server, and Task Server using the "last good path". If the last good path was CEM, then CEM will be used, even after an agent or computer restart. If it was proxy, then proxy will be used. If it was IPv6, then IPv6, etc. This reduces the number of connections that fail because there could be tens of connection paths to a server (CEM, proxy, Ipv6, multiple client and server addresses, etc.) and not all of them are "connectable".

These "last good paths" are stored in HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Communications\ConnectionProfiles-server guid-\Statistics and cached internally on the client machine

If "last good path" does not exist or the agent fails to connect to the last good path, the connection order will follow the CEM policy's settings for "prefer CEM". If "prefer CEM" options are enabled in the policy, agents targeted by the policy will attempt connecting with CEM first.

If after switching physical networks you see that the connection method changes, that means SMA tried connecting using the last good method and failed. The failure could be very brief but it can cause connection paths to switch to another. If the next path works, then it sticks until the next failure.

Follow best practices when implementing/installing one or more Internet Gateways. Internet Gateways should not be routable or reachable on the internal network or LAN. They should be in the DMZ and only reachable externally