For this to work the identical IP addresses will need to be NAT'ed to unique IP's when they are on the same network. Having the same IP's on the same network is just not valid. Some things to consider:
1. The Agent machine is going to encrypt the authentication using was it believes is its primary IP
2. The Server is going to decrypt the authentication using the IP address used to define the Agent Host in the ace server database
To make this work in this situation, we need to force the client to use the IP the server recognizes (NAT) for encryption. To do this use the following solution:
How to set an IP address override for an RSA ACE/Agent and RSA Authentication Agent
Make the IP address the NAT'ed address. Then restart the service you are protecting. For instance, if you are protecting a Web server, stop and start the Web services. Again, when you are done, the IP address in the sdopts.rec file and the primary IP address that defines the Agent host in the ACE/Server database should match AND it will be the NAT address.
NOTE: This will only work if the client has a file system; 3rd-party products like some VPN's are not always configurable.