• Virtual machines cannot establish TCP communication
• A DFW (Distributed Firewall Rule) with  'Applied To'  set to a group containing IP-Range-based group.
• Placing the VMs in exclusion list( eliminates the DFW rules) restores the connectivity
• Netcat tests between the servers result in a timeout, command used : nc -zv <ip address> <port number>

VMware NSX

The 'Applied To' field of the firewall rule configured using an IP-Range-based group is not supported.

Configure a VM based group in the 'Applied To' field of the firewall.

Refer article for adding policy: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-0/security-quick-start-guide/NSX-Security-Overview=GUID-81388763-21D0-48DA-820B-B366FB098D29=3=en=/configuring-your-policy/configuring-your-polic-1/configuring-your-policy.html

• In the packet captures performed on distributed switch used by source VM, its observed that while trying to connect on TCP port ,the TCP packets are leaving the vnic but the packets are getting dropped the Distributed switch which has the DFW firewall rules set.
• Below command can be used to perform packet captures on DVS level,replace switchport with the appropriate switchport ID used by VM.
      pktcap-uw --switchport <switchportid> --capture PreDVFilter -o -| tcpdump-uw -enr -
      pktcap-uw --switchport <switchportid> --capture PostDVFilter -o -| tcpdump-uw -enr -
• If packet is present in PreDVFilter capture and not present in PostDVFilter capture , it is dropped by DFW
• Replace switchport with the appropriate switchport ID used by VM.