I managed to reproduce one issue based on the comments in the Zabbix DevOps chat. I am not sure my steps to reproduce are the same as customer did, since the customer did not provide step by step steps to reproduce.

This is just one possible way to do it, which illustrates that there is a problem related to transitions between hosts created manually and with active agent autoregistration.

Part 1
Steps to reproduce

1. In Zabbix frontend, create a host manually.
   1. Hostname, Linked templates, host groups, interface DNS (I used DNS) should match the respective agent options.
   2. Encryption should be configured on host:
      1. Connections to host: PSK
      2. Connections from host: No encryption, PSK
      3. The following (or some other) values of PSK identity and PSK can be used. They must match at server and agent side.

         PSK identity
         Zabbix training
         
         PSK
         9ff4efc7b866918b33e33a5d09332adf
         

2. Agent settings can be used the same as described in ZBX-26621 in "Agent config with PSK".

   PidFile=/run/zabbix/zabbix_agentd.pid
   LogFile=/var/log/zabbix/zabbix_agentd.log
   LogFileSize=0
   Server=127.0.0.1
   ServerActive=127.0.0.1
   Hostname=Zabbix server Autoreg
   HostMetadata=Linux_testpsk
   Include=/etc/zabbix/zabbix_agentd.d/*.conf
   TLSConnect=psk
   TLSAccept=unencrypted,psk
   TLSPSKIdentity=TEST
   TLSPSKFile=/etc/zabbix/zabbix_agent.psk 
   HostInterface=uggla1
   

3. Link template "Zabbix agent active". This is just for convenience. It has 4 items is it convenient to set update period to some small value like 10 seconds. Also remove "Unchanged with heartbeat" preprocessing steps from the 2 items where they are configured.
4. In /etc/hosts, configure some hosts to the IP where your agent is located. This would be needed to trigger autoregistation. You may choose a different way to trigger autoregistration.

   127.0.0.1    uggla1
   127.0.0.1    uggla2
   

Observed

1. Both passive and active checks work.
2. On Zabbix server, in table "hosts" fields "tls_psk" and "tls_psk_identity" are configured to valid values. 

Expected
The same as observed.

Part 2
Steps to reproduce

1. In Zabbix frontend, configure autoregistration. Administration->General->Autoregistration->Encryption level
   1. No encryption: yes
   2. PSK: no 
2. In Zabbix frontend, go to Alerts->Actions->Autoregistration action. Configure autoregistation action. It would be needed later.
   1. Condition: Host metadata contains HostMetadata option in agent config.
   2. Operations:
      1. Add to host groups: Training/Servers
      2. Link templates: Zabbix agent active
3. Run autoregistation. This can be done in any way. I did it by changing agent config option to HostInterface=uggla2. Restart the agent. There is not need to restart the server.

Observed

1. Passive checks continue working. Active checks stopped working.
2. On Zabbix server, in table "hosts" fields "tls_psk" and "tls_psk_identity" are empty. 

Expected

1. Both passive and agent checks continue working.
2. On Zabbix server, in table "hosts" fields "tls_psk" and "tls_psk_identity" contain valid values.