Traffic sent to IP addresses X.X.X.255 (last octet is "255", but is not a broadcast address on this network) does not pass through ClusterXL in Load Sharing Unicast mode.
Kernel debug ('fw ctl debug -m fw + drop') + SecureXL SIM debug ('sim dbg -m pkt + cpls drop') on non-Pivot member show:
fw ctl debug -m fw + drop
sim dbg -m pkt + cpls drop
[SIM]pivot_process_incoming: non-pivot member cannot handle broadcast/multicast, dropping packet (<Dest_IP_Address.255>)
[SIM]pivot_process_incoming: packet sent from pivot, passing packet
[SIM]sim_pkt_send_drop_notification: recieved drop, reason: ZZZ;
... ... ...
;fw_log_drop_conn: Packet proto=N X.X.X.X:XXX -> Dest_IP_Address.255:YYY, dropped by handle_inbound_packet, Reason: cluster error;
Disabling SecureXL on all cluster members resolves the issue.
SecureXL always considers IP address X.X.X.255 as broadcast address. By design, non-Pivot member cannot handle non-unicast traffic. As a result, this traffic is dropped.