HI all

I deployed NSX and implemented distribution firewall to all of my production servers and everything works fine.

Last week I tried to migrate my physically  separated DMZ virtual environment  to  production virtual environment and apply Distribution firewall police to create logical defined DMZ environment.

All other systems such as Apache reverse proxy, lync edge works fine but Citrix netscaler VPX 200 behave very strange and very unstable. If I assign VPX to   Exclusion list it works fine.

I checked log insight during the distribution firewall policy applied I found thousands of packet dropped　(packet type A FA and PA)

Topology information

Before                                                            After 

ESXI 5.5 　                                                       ESXI 6.1

Standard switch port group                              Distribution Switch port group

NO NSX                                                            NSX deployed and Distribution firewall policy applied.

FYI netscaler VPX have multiple virtual host for load balancing and have one mac address with multiple virtual IP.

Anybody have any idea why this problem is happening to netscaler only, I have more than 300 guest OS behind distribution firewall and all works fine except VPX the only different is VPX have signal mac address with multiple virtual IP address.

Cheers

Binaya