Users may experience the following connectivity issues after migrating Citrix NetScaler virtual machines (VMs) to a different VMware cluster:

• Citrix NetScaler VMs on specific VLANs (e.g., VLAN 758) lose all external communication.
• The NetScaler Subnet IP (SNIP) becomes inaccessible from outside the VMware environment.
• Virtual machines are unable to ping their default gateway.
• Connectivity tests from other VMs on the same port group result in "Destination host unreachable."

• VMware vSphere ESXi
• Citrix NetScaler (VPX) HA Pair
• VMware Virtual Distributed Switch (VDS)

The issue may be caused by the physical network infrastructure failing to respond to ARP requests sent from the ESXi host. While the ESXi host and VDS correctly tag and forward traffic to the physical uplinks, the physical switch or upstream router does not return the required ARP replies.

To resolve this issue, perform the following troubleshooting steps to isolate the failure point:

1. Validate VMware Networking Configuration

• Ensure the port group on the Virtual Distributed Switch (VDS) is configured with the correct VLAN ID.
• Verify that the active and standby uplinks (e.g., vmnic2, vmnic3) are correctly assigned to the port group.
• Confirm that the physical switch ports connected to these vmnics are configured as Trunk ports allowing the required VLANs.

2. Isolate the Appliance

• Deploy a standard test VM (e.g., Windows or Linux) on the same port group and VLAN as the NetScaler.
• Assign a static IP address within the same subnet.
• Attempt to ping the default gateway. If this also fails with "Destination host unreachable," the issue is likely at the network layer rather than within the NetScaler configuration.

3. Perform Packet Captures on ESXi Uplinks

• Use pktcap-uw or the ESXi command line to capture traffic on the specific physical uplink (vmnic) used by the VM.
• Review the capture to confirm if ARP Requests sourced from the VM's MAC address are exiting the vmnic.
• Check if any ARP Replies are being received from the physical network.

4. External Infrastructure Review

If packet captures confirm that ARP requests are leaving the ESXi host but no replies are returning, provide the capture data to your Physical Network Team. They should verify:

• Correct VLAN tagging on the physical switch ports.
• Proper ARP table entries on the upstream router/gateway.
• Any MAC address filtering or security policies (e.g., Port Security) that may be blocking the new cluster's uplinks.