Noticed something interesting after upgrading to 6.0R4-2. The overall upgrade seems to have gone well. I did however discover that Network Connect sessions on my load balanced clusters are defaulting to using SSL as a transport instead of ESP. This doesn't seem to be the case in my other cluster which is set as Active/Standby. I do see UDP 4500 coming across the load balancers, and I did see it in the tcpdump output on the external interface on the Junipers. Not exactly sure what gives.
Other than that, the configs are very similar. Just wondering whether anyone has run across this.
I have experienced similiar issues when I upgraded our SA6000 active/passive cluster to 6.0R5. I found that by disabling the Replay Protection option in the Network Connect Connection Profile that I was able to connect and stay connected with ESP. I currently have a case open with Juniper but no progress yet.