1. Execute "curl https://sso.example.com" in guest OS
2. You do not see the creation of FQDN entry log in dfwpktlogs.log
   
   tail -f /var/run/log/dfwpktlogs.log | grep ##.##.##.228
2023-09-25T07:35:38.308Z 24914357 INET L7 Rule pending PASS 3092 OUT 61 UDP ##.##.##.228/47795->##.##.##.11/53 <<<<<create FQDN entry log should after this log
   2023-09-25T07:35:38.335Z 24914357 INET match REJECT 1004 OUT 60 TCP ##.##.##.228/46598->##.##.##.97/443 S
   
   
3. No FQDN entry is created
   
   vsipioctl getfqdnentries -f nic-30010933-eth0-vmware-sfw.2
No fqdn entry.


4. IPv6 DNS reply with 0 answers
   
   Frame 4: 133 bytes on wire (1064 bits), 133 bytes captured (1064 bits)
Ethernet II, Src: Cisco_:##:##:## (68:7f:74:##:##:##), Dst: VMware_##:##:## (00:50:56:##:##:##)
Internet Protocol Version 4, Src: ##.##.##.11, Dst: ##.##.##.229
User Datagram Protocol, Src Port: 53, Dst Port: 35862
Domain Name System (response)
    Transaction ID: 0xc4b3
    Flags: 0x8580 Standard query response, No error
    Questions: 1
    Answer RRs: 0 <<<<<
    Authority RRs: 1
    Additional RRs: 0
    Queries
    Authoritative nameservers <<<<<
    [Request In: 2]
    [Time: 0.021817000 seconds]

 There is one pending TXN that asked for IPv6 record but the reply came with 0 records and rcode ==0. That currently is not considered TXN complete.

This issue is resolved in VMware NSX 4.1.2 available at Broadcom Downloads.
If you are having difficulty finding and downloading software, please review the KB Download Broadcom products and software.

Workaround:

Execute FQDN using ping first e.g."ping sso.example.com" first, this will trigger generate FQDN entry, then execute "curl or else create rule using IP/range"