1. Is the VM "plugged" into the right vSwitch/network?
2. Can you add the VM to vShield App's exclusion list? (it gives you a list of VM's and you can pick it out).
3. is vShield App installed on just 1 host, or is it on hte entire cluster? vShield App should be deployed across a cluster and not onesy-twosy, and can cause issues. One issue is in 5.1.2a, and that is if you move a VM from a non-vshield App protected host, to a vshield app protected host, it will not allow the VM any networking until you add it to the exclusion list.
4. Check at higher levels if you enabled firewall rules at the datacenter/host/port group level. Remember vshield app is conceptually a firewall on every vNIC, so if you have a "deny" rule at the bottom of your firewall at the datacenter level, only VM's with exclusions will have any kind of communications. You can make port groups "independent" of the higher level rules (say in a multi-tenancy scenario), you have to go to the port group in the "networking" drop down in vCNS manager, then change the port group to be "independent namespace".