I do not believe the server is available during an upgrade installation but during the routine maintenance e.g. workflow purge, DataStore Garbage Collection, ..etc Ideally you should not let any access. You can block access via dispatcher.
You can create/edit the existing replication workflows and add some approval step if it does not already have such step. This doc might be useful to you: Adobe Experience Manager Help | Replicating Adobe Experience Manager Content using the Replication API
Just adding to what Yanira mentioned you can use Diff tools to verify if there is any config changes between the working and non-working instances: AEM Tools for environment comparison
Can you clarify the following:1. the same username is used when bypassing dispatcher i.e. using IP and port number2. you are able to see the full repository tree when using IP and port number