Packet loss may occur when you've configured bridging ( HCX network extension) when the following conditions are met:

• You are using DVS version 6.5 or earlier, OR DVS is above 6.6 but HCX was deployed before the DVS switch was upgraded, creating a sink port instead of a mac-learning port
• From the "net-dvs -l" output where the NE appliance is running, you confirmed that the NE appliance is configured as SINK:
  com.vmware.etherswitch.port.extraEthFRP =   SINK
• "MAC address changes & Forged transmits" policies under DVS port-group are in Reject state. For more information, access: HCX-NE:Considerations of "MAC address changes & Forged transmits" policies under DVS port-group
• The sink bit (0x10000) is missing:
  
  • Get portset name and port number by running net-stats -l
  • Run the following command and check whether 0x10000 is set or not:
    vsish -e get /net/portsets/$switch_name/ports/$port/status | grep -A 2 "accepted:filter" | grep flags

      accepted:filter {
         flags:0x0000000d <<<<----- it should be: 0x0001000d
         unicastAddr:00:50:##:##:##:##:
         numMulticastAddresses:0
         multicastAddresses:
         LADRF:[0]: 0x0 
         [1]: 0x0 
    
    Note: Expected output is 0x0001000d; if you are seeing the flag 0x0000000d, you are matching this KB.

• When performing a packet capture, you observe that the packet never reaches the NE appliance "switchport", refer to KB: Packet capture on ESXi using the pktcap-uw tool

• Using the command --trace on the "uplink" interface, you observe that the packet is dropped on EtherswitchFwdCheckPolicy, command is similar to:
  pktcap-uw --uplink vmnic# --srcip <source-ip> --dstip <destination-ip> --trace
  
    
    
          PATH:
          +- [11:46:44.230333] |                           VnicTx |   ######## |
          +- [11:46:44.230334] |                        PortInput |   ######## |
          +- [11:46:44.230334] |                          IOChain |            | VLAN_InputProcessor@com.vmware.vswitch#1.0.0
          +- [11:46:44.230335] |               EtherswitchDispath |   ######## |
          +- [11:46:44.230335] |        EtherswitchFwdCheckPolicy |   ######## |
          +- [11:46:44.230335] |        EtherswitchFwdCheckPolicy |   ######## |
          +- [11:46:44.230343] |                             Drop |    ########|
          +- [11:46:44.230343] |        EtherswitchFwdCheckPolicy |   ######## |
          +- [11:46:44.230343] |        EtherswitchFwdCheckPolicy |   ######## |
          +- [11:46:44.230344] |                             Drop |            |
          +- [11:46:44.230344] |        EtherswitchFwdCheckPolicy |   ######## |
          +- [11:46:44.230345] |                             Drop |            |
          +- [11:46:44.230345] |        EtherswitchFwdCheckPolicy |   ######## |
          +- [11:46:44.230346] |                             Drop |            |
          +- [11:46:44.230346] |        EtherswitchFwdCheckPolicy |   ######## |
          +- [11:46:44.230347] |                             Drop |            |
          +- [11:46:44.230347] |        EtherswitchFwdCheckPolicy |   ######## |
          +- [11:46:44.230348] |                             Drop |            |

The sink flag is removed from the ESXi host switchport, causing the packet to be dropped on the Uplink interface and never reach the NE switchport.