• The environment was recently upgraded to VMware NSX 4.x
• The same IPSEC and load balancer (LB) configuration was working prior to upgrade.
• Both IPSEC and LB are attached to the same Logical Router.
• They are no alarms for IPSEC tunnels or LB in NSX UI to indicate an issue.
• Only traffic coming from IPSEC tunnel to LB is affected.
• No issue with IPSEC traffic that by-passes LB to backend server.
• No issue with LB for traffic that does not originate from IPSEC tunnel.

VMware NSX 4.x

DNAT rules contain a flag to indicate whether a rule should be matched for PBVPN decrypted traffic. The PBVPN flag is not maintained by the LB for IPSEC originated traffic. This results in traffic being dropped.

This issue is resolved in VMware NSX 4.2.0

Workaround:

Move IPSEC and LB to different Logical Routers.