Remote SSH connections to ESXi fail despite the service being active and the host firewall being correctly configured. 

• Connections from the same local subnet function as expected.

• PuTTY client reports: Network error: Software caused connection to abort.

• Verbose SSH output (ssh -vvv) from PowerShell displays: key_exchange_identification: read: Connection timed out.

• Packet captures on the ESXi management interface (vmk0) show incoming TCP SYN packets from remote clients, but the host fails to respond with a TCP SYN-ACK.

VMware vSphere ESXi 8.x

In this scenario, the firewall is forwarding the Layer 3 IP packet correctly, but it is failing to update the Layer 2 destination hardware address.
When the ESXi host's physical NIC receives the frame, the network stack inspects the destination MAC address. Because the MAC address in the frame header does not match the local vmk0 MAC address, the ESXi host treats the frame as "not destined for this host" and silently discards it.

1. Identify the physical uplink (vmnic) associated with the management VMkernel interface (vmk0):
   
   
   Type esxtop and press Enter.
   Press n to switch to the Network view.
   Locate vmk0 in the USED-BY column.
   Identify the active physical interface in the TEAM-PNIC column.

2. Perform a packet capture on the ESXi host management interface using pktcap-uw to verify the destination MAC address of incoming TCP 22 traffic: pktcap-uw --uplink vmnicX --capture UplinkRcvKernel,UplinkSndKernel --srcip 192.168.##.## --dstip 10.##.##.## --tcpport 22 -o /tmp/ssh22.pcap

3. Confirm the MAC address of the vmk0 interface using the command: esxcfg-vmknic -l.

4. Compare the destination MAC in the capture (using Wireshark) with the actual vmk0 MAC. If they differ, the issue resides in the upstream network equipment and you need to work with the network/firewall team.

For additional details on capturing on ESXi host, see: Packet capture on ESXi using the pktcap-uw tool