Identity Awareness AD Query fails over VPN in the following topology:
Hosts - Identity Awareness Gateway ---(VPN)--- VPN Peer - Domain Controller
Debug of PDP daemon ("pdp debug set all all") shows in $FWDIR/log/pdpd.elg file:
pdp debug set all all
[ADLOG_EVENT_PROCESS (TD::Surprise)] ADLOG::EventRejectRegExpFilter::acceptEvent: Event rejected due to field (ip) on value (<INTERNAL_IP_ADDRESS_of_VPN_PEER>)
If the PDP resides on the local side of the VPN, where the connection is initiated and undergoes NAT, it will be rejected as invalid.