This situation occurs when traffic enters the first VAP group, leaves the chassis and re-enters it again to be processed by another VAP group:
The NPM uses IP header information (source/destination IP address, protocol, source/destination port) and domain-id assigned to ingress circuit to classify and distinguish flows. When all circuits have the same domain-id and traffic is serialized externally as in the above example, the same IP connection is classified twice for each packet and direction. When packet leaves the first VAP group and re-enters the NPM destined for the second VAP group, the original flow information is invalidated and overwritten by a new flow created for the second VAP group.
Similarly, return traffic will need to be re-classified when received by the NPM. In addition, if VAP groups have multiple members, the return flow may be sent to another VAP in the VAP group, resulting in asymmetrical routing and potential traffic drops by the firewall application.