When you make the switch from PUB to SUB check the Policy cache information in the endpoint database .
You can manage that value under the Cluster-wide parameters >General tab > Policy result cache timeout.
Make sure that the SUB is in SYNC with the PUB.
If all these look good then you should consider opening a TAC case or upgrading to the latest 6.4 version.