The Multi Domain Servers and the VSX clusters (VS0) are located in a firewall management network.
This firewall management network is protected by a non-VSX cluster. This cluster is the default gateway of the Multi Domain servers.
There is not route from the Domain Servers to the virtual systems. Not even physically.
So every time a Domain Server tries to contact a virtual system on the VSX clusters, it is send via the default gateway and is dropped by this non-VSX cluster securing the firewall management network.
So the traffic is not dropped by a virtual system (VS0 or any other virtual system) but by a completely other non-VSX cluster. So internal logic is not relevant here.
All is working and Monitor is showing all VS's OK within the Domain Servers. Policy installs, logging, it all works. So there is no need for the Domain Server to contact the VS's this way.
I have added a simple network drawing.
The MDM servers and VSX clusters (VS0) are located in network 22.214.171.124 / 24. The Multi Domain server is 126.96.36.199 and the Domain Server managing VS1 is 188.8.131.52.
The default gateway for the VSX clusters and Multi Domain servers is 184.108.40.206. The non-VSX cluster.
VS1 is created in a VSX cluster with IP-addresses 220.127.116.11 and 18.104.22.168. Let's say 22.214.171.124 is the main address.
In the non-VSX cluster 126.96.36.199 we can see packets being dropped from 188.8.131.52 to 184.108.40.206 for Check Point services.