The following rewrite policy does not work as expected if intending to explicitly drop traffic vs. sending a reset, when a pattern is matched:

add rewrite policy test_rewrite_policy "CLIENT.SSL.CLIENT_CERT.SUBJECT.CONTAINS(\"user1\")" DROP 
bind vpn vserver nsctx.local -policy test_rewrite_policy -priority 100 -gotoPriorityExpression END -type REQUEST

The expected behaviour would be to silently drop the request without responding to the client. However, the behaviour on VPX looks like "RESET" even though they expect "DROP" but same policy and DROP action works fine on MPX.

Different behaviours are observed on VPX and MPX as listed below:
With DROP action on - VPX
It says "the page can't be displayed". NetScaler tells the client that it must re-establish its session with the Web server. 
 
With DROP action on - MPX:
No error message and no response. MPX (the same version) behaves as "DROP" in the same configuration as VPX.

There is presently no solution to this behaviour on the VPX platform, it is expected due to the manner in which the packet engines process traffic on VPX (see the problem cause below for further details).

---

Problem Cause

This is a known behaviour as Citrix ADC (NetScaler) VPX does not have SSL hardware acceleration. The manner and order in which traffic is processed results in a response to the client as a result.

The difference in behaviour in Citrix ADC (NetScaler) MPX and VPX application is data acknowledgment.

In Citrix ADC (NetScaler) MPX we are acknowledging the application data and dropping the connection hence there is no reset or any display of the page.

In Citrix ADC (NetScaler) VPX we are not acknowledging the application data and dropping connection, so the client tries to resend the request, Citrix ADC (NetScaler) treats it as a stray packet since this connection has freed due to a previous drop and reset the connection.
 
NOTE:
Looks like ACK being generated in the Citrix ADC (NetScaler) MPX/VPX with dedicated SSL core is from SSL core itself.