And no, I do not have the 192.168.196.0/24 anywhere on my network as sk101448 Traffic is originating from a VS (virtual system) with the VSX internal communication address describes.
One of my clients has just reported seeing same issue in his environment and I've span-up the VSX VSLS cluster on ESXi to see what's what and am seeing same thing (each VS is active on a different cluster member):
and from practically identical VS on the same cluster:
At the end of the previously mentioned sk, there is a workaround suggesting:
"If the 192.168.196.0/24 network can not be removed from the local network, then the 192.168.196.0/24 network must be removed from the NAT policy"
But I'd like to hear about the implications of doing it before trying it out.