Service Mesh is newly deployed.

Port tests to HCX appliance fail and there is no network firewall between HCX appliances dropping packets.

1. SSH into source HCX manager appliance as admin.
2. To access HCX Central CLI
ccli
3. To view the HCX appliances.
list 
4. Connect to the source Sentinel Gateway (SGW) appliance. Replace # with the number of the source Sentinel Gateway (SGW) appliance in the list output.
go # 
5. SSH into the SGW appliance
ssh 
6. Test if the socket is open. Replace #.#.#.# with the IP address of the source Interconnect (IX) appliance.
nmap -n #.#.#.# -p 44500, 44501, 44502 

The output will show as filtered instead of open as expected.
PORT      STATE  SERVICE
44500/tcp filtered unknown
44501/tcp filtered unknown
44502/tcp filtered unknown

7. Test connectivity from the source SGW to IX appliance. Replace #.#.#.# with the IP address of the source IX appliance. Connectivity fails.
nping -- tcp -c 1 -p 44500, 44501, 44502 #.#.#.#  

HCX 4.11.3

The HCX sentinel appliance is missing the firewall configuration for OS Assisted Migration (OSAM) required sockets during deployment of the Interconnect (IX) and Sentinel (SGW/SDR) appliances. This may occur if changes are made to the Service Mesh before appliance deployment is completed.

Resync the Service Mesh.

Update and Synchronize the Service Mesh

For more information about HCX required ports and protocols.
VMware HCX Ports and Protocols