Windows-based Domain Controller virtual machines (VMs) experience severe network latency and slow response times for specific traffic.

• LDAP/LDAPS queries (ports 389/636) take 6–10 seconds to respond.
• TCP handshakes exhibit a consistent 6-second delay.
• Citrix Netscaler or other load balancers may report the Domain Controller as "offline" due to connection timeouts.
• RDP and ICMP (ping) traffic typically remain unaffected.
• Physical Domain Controllers in the same VLAN do not exhibit these symptoms.

VMware NSX

• The issue is caused by a driver conflict between the NSX Network Introspection Driver (vnetwfp.sys), installed as part of VMware Tools, and third-party security software (such as Rapid7).
• Both the NSX Introspection driver and the security software utilize the Windows Filtering Platform (WFP) to inspect network traffic.
• When both are active, a conflict in the filter stack can lead to delayed packet processing or packet injection failures during the TCP handshake. 

• Currently there is no resolution for this issue.
• As a workaround ,  the NSX Network Introspection component can be removed from the virtual machine by following the instructions below.

Workaround

Modify VMware Tools Installation 

1. Log in to the vSphere Client and mount the VMware Tools installer on the affected VM.
2. In the Guest OS, run the setup package and select Modify.
3. Expand the VMCI Driver section.
4. Deselect NSX Network Introspection Driver (change to "Entire feature will be unavailable").
5. Complete the wizard and reboot the VM.

Note: If the environment is utilizing NSX Identity Firewall and disabling NSX Network Introspection component is not an option, please raise a case with Broadcom for a resolution.

How to cleanly remove the NSX Network Introspection driver from VMware tools