• A VM is experiencing network connectivity loss when attached to a distributed portgroup that has "MAC address changes", "Promiscuous mode" or "Forged transmits" set to "Accept".
• The VM, or an application on the VM, is intentionally operating in a way that would require one or more of the security policies to be enabled, such as a MAC address requesting to be changed from within the guest OS for CARP/VIP failover.
• The logs show the VM's port is blocked due to a L2 security violation - despite the configuration in the vCenter UI showing the policy for such changes is set to "Accept."

    com.vmware.vswitch.port.security = deny promiscuous; deny mac change; deny forged frames
            propType = POLICY
    com.vmware.vswitch.port.macManagement:
            Allow MAC Change = False
            MAC Learning = False
            Unknown Unicast Flooding = False
            MAC Limit = 4096
            MAC Limit Policy = ALLOW
            propType = CONFIG

VMware ESXi 8.0

• This situation was introduced in vCenter 8.0 with the feature "MAC Learning configuration."
• Although the setting appears to have applied successfully in the vSphere UI, the setting is not propagated properly to the host itself so the setting is effectively set to "Deny". Therefore when a guest OS or application in a VM acts in a way related to the policy, such as requesting a MAC address change, it is detected as a violation and the VM's port is consequently blocked.