Accepted Solutions
This is something that you can easily track by using vCenter's vpxd.logs. You will need to know the session key which you can query from the APIs or using the vCenter MOB under sessionManager object. You also need to change your vCenter logging _tempoairly_ to verbose if it isn't already, by defaul the logging output is configured as "info" which doesn't go into detail on the actual client agents which is where you'll identify the IP Address in which it is logging into.
Once you're ready, enable the verbose logging and terminate the existing connection. Wait until it re-connects, then grab the session key, this way you don't have to search through all your vpxd.logs looking for the actual login. Search the main vpxd log and you should see something of the following:
[2010-12-21 19:27:33.115 01456 info 'Libs'] [ADS] Account primp found, but not local
[2010-12-21 19:27:33.115 01456 info 'App'] Error 1326 authenticating user .\primp.
[2010-12-21 19:27:33.131 01456 info 'App'] [Auth]: User PRIMP-IND\primp
[2010-12-21 19:27:33.131 01456 verbose 'App'] [VpxdUser] Registering session with cnxId=49C1F429-8403-4D0D-B319-7C79C2708FF1
[2010-12-21 19:27:33.131 01456 verbose 'PropertyProvider'] RecordOp ADD: sessionList["3B655744-E886-41AE-89AC-DFF691901A1B"], SessionManager
You should see the user name and specifically the sessionList which is your session key. From here, you will key off of the 3rd column and in my example this is "01456" which is the actual thread number. You will use this to identify all entries with respect to your session and search for all these entries, you should see something of the following not too far from the session details which should look something like this:
[2010-12-21 19:27:36.053 01456 verbose 'ProxySvc Req70068'] New client SSL(TCPStreamWin32(socket=TCP(fd=3592) local=172.30.0.60:443, peer=172.30.0.218:53893
))
This is the actual request and you'll see "local" which should be the IP Address of your vCenter server and "peer" which is the actual client. In my example, I simulated this by logging into the MOB from my local desktop and that is the IP Address of my system.
If you transfer your vpxd-log to a Linux host, you can do something of the following to save you time from search using Windows 
You just need to define the two variables VPX_LOG which is the actual log file and SESSION_ID which is the session key
VPX_LOG=vpxd-198.log;SESSION_ID=3B655744-E886-41AE-89AC-DFF691901A1B;grep $(grep "${SESSION_ID}" $VPX_LOG | awk '{print $3}') $VPX_LOG | grep peer
This should hopefully help you identify the culprit 
This is something that you can easily track by using vCenter's vpxd.logs. You will need to know the session key which you can query from the APIs or using the vCenter MOB under sessionManager object. You also need to change your vCenter logging _tempoairly_ to verbose if it isn't already, by defaul the logging output is configured as "info" which doesn't go into detail on the actual client agents which is where you'll identify the IP Address in which it is logging into.
Once you're ready, enable the verbose logging and terminate the existing connection. Wait until it re-connects, then grab the session key, this way you don't have to search through all your vpxd.logs looking for the actual login. Search the main vpxd log and you should see something of the following:
[2010-12-21 19:27:33.115 01456 info 'Libs'] [ADS] Account primp found, but not local
[2010-12-21 19:27:33.115 01456 info 'App'] Error 1326 authenticating user .\primp.
[2010-12-21 19:27:33.131 01456 info 'App'] [Auth]: User PRIMP-IND\primp
[2010-12-21 19:27:33.131 01456 verbose 'App'] [VpxdUser] Registering session with cnxId=49C1F429-8403-4D0D-B319-7C79C2708FF1
[2010-12-21 19:27:33.131 01456 verbose 'PropertyProvider'] RecordOp ADD: sessionList["3B655744-E886-41AE-89AC-DFF691901A1B"], SessionManager
You should see the user name and specifically the sessionList which is your session key. From here, you will key off of the 3rd column and in my example this is "01456" which is the actual thread number. You will use this to identify all entries with respect to your session and search for all these entries, you should see something of the following not too far from the session details which should look something like this:
[2010-12-21 19:27:36.053 01456 verbose 'ProxySvc Req70068'] New client SSL(TCPStreamWin32(socket=TCP(fd=3592) local=172.30.0.60:443, peer=172.30.0.218:53893
))
This is the actual request and you'll see "local" which should be the IP Address of your vCenter server and "peer" which is the actual client. In my example, I simulated this by logging into the MOB from my local desktop and that is the IP Address of my system.
If you transfer your vpxd-log to a Linux host, you can do something of the following to save you time from search using Windows You just need to define the two variables VPX_LOG which is the actual log file and SESSION_ID which is the session key
VPX_LOG=vpxd-198.log;SESSION_ID=3B655744-E886-41AE-89AC-DFF691901A1B;grep $(grep "${SESSION_ID}" $VPX_LOG | awk '{print $3}') $VPX_LOG | grep peer
This should hopefully help you identify the culprit
