The first reaction of one of my collegues was what is that? When you lookup where it is short for it makes much more sense! TOFU stands for "Trust on first Use" and is the opposite of TOEU, which stands for "Trust on every Use".
In NSX the IP addresses on ports are learned by ARP snooping and VMware tools. If you use a VM in a group the ip address is needed for the DFW.
You can switch between TOFU and TOEU at the segment profiles.
In my case the IP address of a VM was learned at a VM, but after deployment the network was changed and a new IP address was set. NSX still kept the old IP address because of TOFU. Normally this isn't a big problem, but just moments later a new deployment was done and this new VM got the first free IP address, the IP still learned at the other VM. The ruleset in my DFW setup uses deny rules to protect certain workloads, causing this new VM unable to reach any other VM in the netwerk.
To fix this issue you can do two things: