• When you perform a Traceflow where the source is a virtual machine on a VLAN-backed segment and the destination is a virtual machine on an Overlay-backed segment, the trace fails.
• The Traceflow UI or log observations report the following drop reason: 
   `Dropped by VLAN`
• Data plane communication (ping, TCP, etc.) between the virtual machines functions normally despite the Traceflow failure.

VMware NSX

This issue is caused by a known architectural limitation. The NSX Edge does not currently support the processing or re-injection of Traceflow packets that originate from a VLAN-backed segment when they are destined for an Overlay-backed segment.

This is expected behavior and does not indicate a failure in the actual network data plane. 

Subscribe to this knowledge article for updates regarding future support for this Traceflow path.

Workaround
To verify the logical pipeline and firewall rule enforcement between these segments, perform the following:

1. Initiate the Traceflow in the reverse direction: set the **Overlay-backed VM** as the Source and the **VLAN-backed VM** as the Destination.
2. Observe the results. Although the trace will terminate at the Tier-0/Tier-1 Gateway (as the Edge cannot inject the specialized packet into the final VLAN segment), you can successfully verify the Distributed Firewall (DFW) and Gateway Firewall (GWFW) rules applied to the traffic.

Alternatively, use standard packet capture tools (e.g., `pktcap-uw` on the ESXi hosts or the NSX Packet Capture tool) to verify the transit of actual production traffic.

NSX 4.1 Administration Guide: Perform a Traceflow.