• A Cloud VM is not able to communicate to OnPrem VM over L2C extended segment.
• In the packet capture taken on Cloud and OnPrem NE appliances both, ARP request packets from OnPrem and ARP reply packets from Cloud could be seen on the OnPrem NE appliance's vNIC interface attached to the extended segment. Which is a clear indication that the data path across the L2E is fine but the return packets from Cloud are not reaching to OnPrem VM.

VMware HCX

When using HCX-NE to extend VLAN Port Groups associated with DVS (Distributed Virtual Switch), we need to make sure "MAC address changes & Forged transmits" policies under DVS port-group should be in Accept state.

Otherwise, A packet originated from Cloud VM could able to reach to OnPrem NE appliance's sink port attached to the extended segment but it will be dropped on the DVS PG itself, and not reach to OnPrem VM.

The difference between the MAC Address Changes and Forged Transmits security settings involves the direction of the traffic. MAC Address Changes is concerned with the integrity of incoming traffic, while Forged Transmits oversees the integrity of outgoing traffic.If the MAC Address Changes option is set to Reject, traffic from HCX vNIC will not be passed through the DVS to the virtual machine (incoming), if the initial and the effective MAC addresses do not match. If the Forged Transmits option is set to Reject, traffic will not be passed from the virtual machine to the DVS (outgoing) if the initial and the effective MAC addresses do not match.

1. Go to OnPrem vCenter UI>>Networking>>DVS Port-Group>>Configure>>Settings>>Policies
2. Check "MAC address changes & Forged transmits" policies whether they are Accept/Reject state. Use Edit button to modify the policy as shown below: