Historically, I've seen this when port 4900 is not allowed from QPS to QES. I'd encourage reviewing the table on the relevant help site page (https://help.qlik.com/en-US/sense/February2018/Subsystems/PlanningQlikSenseDeployments/Content/Deployment/Ports.htm) which is fairly good at outlining the dependencies in a multi-node context both in and out-bound.
Hope that helps.
I think that was the solution. I had no time for best practices , so I just opened up any port listed.
80, 443, 4243, 4244, 4248, 4747, 4748, 4242, 4239, 4444, 4899, 4432, 4899, 4900, 4949, 5050, 5151, 5252
Also had to make sure that I whitelisted the host, as that's something that's easy to forget to do.