After more digging, with a regular ESX host with a firewall I found this:
<flags>-m state --state NEW</flags>
Which seems to indicate the vpxheartbeat is initiated from the ESX host and sent to the vCenter server. vpxheartbeat isn't mentioned at all in the KB article.
Thanks Troy, that's a great diagram. I'm going to use that as a basis for my diagram based on ESXi 4.0. And that diagram does show a heartbeat initiated by the ESXi host, so I think the VMware port table is missing an entry.