This message was deleted.

I just retried the same SSH forward test from the machine that hosts rancher and it works equally well. That rules out firewall issues etc.

I think Rancher does some things via triggering from an encrypted, preexisting channel that it sets up with its agent on the cluster. I think general network rules are client clusters can get to Rancher but Rancher is not guaranteed to get to client clusters. So it probably does trigger that way.

there is no traffic either direction

No clue then, that's the only guess I had.

I'm capturing on "any" using these filter expressions:

rancher side: '( tcp port 22 and host not <my workstation IP> ) or host <node IP>'
node side: '( tcp port 22 and host not <my workstation IP> ) or host <rancher IP>'

Only other guess I have is if the rancher & node are VMs on the same hypervisor, the traffic might not get to where libpcap is watching.

different ESXes

You can miss the occasional packet from paging when trying to capture on one of the machines involved in traffic, but all of them consistently seems unlikely. I'm assuming you get enough other traffic to know that libpcap is working and it's not something getting confused with network virtualization.

if i establish an SSH connection between the two hosts myself, I see that in both wiresharks