diff --git a/api/src/com/cloud/agent/api/SecurityIngressRuleAnswer.java b/api/src/com/cloud/agent/api/SecurityIngressRuleAnswer.java
index b56048bb28d..caaf00006ce 100644
--- a/api/src/com/cloud/agent/api/SecurityIngressRuleAnswer.java
+++ b/api/src/com/cloud/agent/api/SecurityIngressRuleAnswer.java
@@ -18,8 +18,16 @@
 package com.cloud.agent.api;
 
 public class SecurityIngressRuleAnswer extends Answer {
+    public static enum FailureReason {
+        NONE,
+        UNKNOWN,
+        PROGRAMMING_FAILED,
+        CANNOT_BRIDGE_FIREWALL
+    }
     Long logSequenceNumber = null;
     Long vmId = null;
+    FailureReason reason = FailureReason.NONE;
+   
     
     protected SecurityIngressRuleAnswer() {
     }
@@ -34,6 +42,14 @@ public class SecurityIngressRuleAnswer extends Answer {
         super(cmd, result, detail);
         this.logSequenceNumber = cmd.getSeqNum();
         this.vmId = cmd.getVmId();
+        reason = FailureReason.PROGRAMMING_FAILED;
+    }
+    
+    public SecurityIngressRuleAnswer(SecurityIngressRulesCmd cmd, boolean result, String detail, FailureReason r) {
+        super(cmd, result, detail);
+        this.logSequenceNumber = cmd.getSeqNum();
+        this.vmId = cmd.getVmId();
+        reason = r;
     }
 
 	public Long getLogSequenceNumber() {
@@ -44,4 +60,12 @@ public class SecurityIngressRuleAnswer extends Answer {
 		return vmId;
 	}
 
+    public FailureReason getReason() {
+        return reason;
+    }
+
+    public void setReason(FailureReason reason) {
+        this.reason = reason;
+    }
+
 }
diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index 027710a4e8b..361a2138123 100644
--- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -4819,8 +4819,10 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         }
 
         if (!_canBridgeFirewall) {
-            s_logger.info("Host " + _host.ip + " cannot do bridge firewalling");
-            return new SecurityIngressRuleAnswer(cmd, false, "Host " + _host.ip + " cannot do bridge firewalling");
+            s_logger.warn("Host " + _host.ip + " cannot do bridge firewalling");
+            return new SecurityIngressRuleAnswer(cmd, false, 
+                                                 "Host " + _host.ip + " cannot do bridge firewalling",
+                                                 SecurityIngressRuleAnswer.FailureReason.CANNOT_BRIDGE_FIREWALL);
         }
       
         String result = callHostPlugin(conn, "vmops", "network_rules",
diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index 3cea9d533b4..c3a3af01f66 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -453,7 +453,6 @@ def ipset(ipsetname, proto, start, end, ips):
 def destroy_network_rules_for_vm(session, args):
     vm_name = args.pop('vmName')
     vmchain = chain_name(vm_name)
-    vmchain_egress = chain_name(vm_name) + "-egress"
     vmchain_default = chain_name_def(vm_name)
     
     delete_rules_for_vm_in_bridge_firewall_chain(vm_name)
@@ -473,11 +472,6 @@ def destroy_network_rules_for_vm(session, args):
         util.SMlog("Ignoring failure to delete  chain " + vmchain)
         
    
-    try:
-        util.pread2(['iptables', '-F', vmchain_egress])
-        util.pread2(['iptables', '-X', vmchain_egress])
-    except:
-        util.SMlog("Ignoring failure to delete  chain " + vmchain_egress)
     
     remove_rule_log_for_vm(vm_name)
     
@@ -654,7 +648,6 @@ def default_network_rules(session, args):
 
      
     vmchain =  chain_name(vm_name)
-    vmchain_egress =  chain_name(vm_name) +"-egress"
     vmchain_default = chain_name_def(vm_name)
     
     destroy_ebtables_rules(vmchain)
@@ -664,11 +657,6 @@ def default_network_rules(session, args):
         util.pread2(['iptables', '-N', vmchain])
     except:
         util.pread2(['iptables', '-F', vmchain])
-    
-    try:
-        util.pread2(['iptables', '-N', vmchain_egress])
-    except:
-        util.pread2(['iptables', '-F', vmchain_egress])
         
     try:
         util.pread2(['iptables', '-N', vmchain_default])
@@ -687,7 +675,7 @@ def default_network_rules(session, args):
 
         #don't let vm spoof its ip address
         for v in vifs:
-            util.pread2(['iptables', '-A', vmchain_default, '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', v, '--source', vm_ip, '-j', vmchain_egress])
+            util.pread2(['iptables', '-A', vmchain_default, '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', v, '--source', vm_ip, '-j', 'RETURN'])
         util.pread2(['iptables', '-A', vmchain_default, '-j', vmchain])
     except:
         util.SMlog("Failed to program default rules for vm " + vm_name)
@@ -1011,7 +999,6 @@ def network_rules(session, args):
     vm_name = args.get('vmName')
     vm_ip = args.get('vmIP')
     vm_id = args.get('vmID')
-    type = args.get('type')
     signature = args.pop('signature')
     seqno = args.pop('seqno')
     try:
@@ -1036,12 +1023,9 @@ def network_rules(session, args):
         vifs.append(tap)
     except:
         pass
-    
-    if type == 'egress':
-        vmchain = chain_name(vm_name) + "-egress"
-    else:
-        vmchain = chain_name(vm_name)
-    
+   
+    vmchain = chain_name(vm_name)
+    reason = 'seqno_change_or_sig_change'
     [reprogramDefault, reprogramChain, rewriteLog] = \
              check_rule_log_for_vm (vm_name, vm_id, vm_ip, domid, signature, seqno)
     
@@ -1142,7 +1126,6 @@ def checkRouter(session, args):
     return txt
 
 if __name__ == "__main__":
-
      XenAPIPlugin.dispatch({"pingtest": pingtest, "setup_iscsi":setup_iscsi, "gethostvmstats": gethostvmstats, 
                             "getvncport": getvncport, "getgateway": getgateway, "preparemigration": preparemigration, 
                             "setIptables": setIptables, "pingdomr": pingdomr, "pingxenserver": pingxenserver,  
diff --git a/server/src/com/cloud/network/security/SecurityGroupListener.java b/server/src/com/cloud/network/security/SecurityGroupListener.java
index 6136db13f4d..f6af762ab0a 100755
--- a/server/src/com/cloud/network/security/SecurityGroupListener.java
+++ b/server/src/com/cloud/network/security/SecurityGroupListener.java
@@ -33,6 +33,7 @@ import com.cloud.agent.api.PingRoutingWithNwGroupsCommand;
 import com.cloud.agent.api.SecurityIngressRuleAnswer;
 import com.cloud.agent.api.StartupCommand;
 import com.cloud.agent.api.StartupRoutingCommand;
+import com.cloud.agent.api.SecurityIngressRuleAnswer.FailureReason;
 import com.cloud.agent.manager.Commands;
 import com.cloud.exception.AgentUnavailableException;
 import com.cloud.host.HostVO;
@@ -85,9 +86,16 @@ public class SecurityGroupListener implements Listener {
                     _workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Done);
 
                 } else {
-                    _workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Error);
-                    s_logger.debug("Failed to program rule " + ruleAnswer.toString() + " into host " + agentId);
-                    affectedVms.add(ruleAnswer.getVmId());
+                    _workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Error);;
+                    s_logger.debug("Failed to program rule " + ruleAnswer.toString() + " into host " + agentId 
+                            +" due to " + ruleAnswer.getDetails()
+                            +" and updated  jobs");
+                    if (ruleAnswer.getReason() == FailureReason.CANNOT_BRIDGE_FIREWALL) {
+                        s_logger.debug("Not retrying security group rules for vm " + ruleAnswer.getVmId() + " on failure since host " + agentId + " cannot do bridge firewalling");
+                    } else if (ruleAnswer.getReason() == FailureReason.PROGRAMMING_FAILED){
+                        s_logger.debug("Retrying on failure for vm " + ruleAnswer.getVmId());
+                        affectedVms.add(ruleAnswer.getVmId());
+                    }
                 }
                 commandNum++;
             }
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl2.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl2.java
index 43566fc6d57..55ca40c96c0 100644
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl2.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl2.java
@@ -93,8 +93,8 @@ public class SecurityGroupManagerImpl2 extends SecurityGroupManagerImpl{
         workItems.addAll(affectedVms);
         workItems.removeAll(_disabledVms);
         
-        if (s_logger.isTraceEnabled()) {
-            s_logger.trace("Security Group Mgr v2: scheduling ruleset updates for " + affectedVms.size() + " vms " + " (unique=" + workItems.size() + "), current queue size=" + _workQueue.size());
+        if (s_logger.isDebugEnabled()) {
+            s_logger.debug("Security Group Mgr v2: scheduling ruleset updates for " + affectedVms.size() + " vms " + " (unique=" + workItems.size() + "), current queue size=" + _workQueue.size());
         }
 
         Profiler p = new Profiler();
@@ -109,8 +109,8 @@ public class SecurityGroupManagerImpl2 extends SecurityGroupManagerImpl{
         int newJobs = _workQueue.submitWorkForVms(workItems);
         _mBean.logScheduledDetails(workItems);
         p.stop();
-        if (s_logger.isTraceEnabled()){
-            s_logger.trace("Security Group Mgr v2: done scheduling ruleset updates for " + workItems.size() + " vms: num new jobs=" + 
+        if (s_logger.isDebugEnabled()){
+            s_logger.debug("Security Group Mgr v2: done scheduling ruleset updates for " + workItems.size() + " vms: num new jobs=" + 
                            newJobs + " num rows insert or updated=" + updated + " time taken=" + p.getDuration());
         }
     }
@@ -173,8 +173,8 @@ public class SecurityGroupManagerImpl2 extends SecurityGroupManagerImpl{
                         vm.getPrivateMacAddress(), vm.getId(), null, 
                         work.getLogsequenceNumber(), rules);
                 cmd.setMsId(_serverId);
-                if (s_logger.isTraceEnabled()) {
-                    s_logger.trace("SecurityGroupManager v2: sending ruleset update for vm " + vm.getInstanceName() + 
+                if (s_logger.isDebugEnabled()) {
+                    s_logger.debug("SecurityGroupManager v2: sending ruleset update for vm " + vm.getInstanceName() + 
                                    ": num rules=" + cmd.getRuleSet().length + " num cidrs=" + cmd.getTotalNumCidrs() + " sig=" + cmd.getSignature());
                 }
                 Commands cmds = new Commands(cmd);
@@ -188,11 +188,11 @@ public class SecurityGroupManagerImpl2 extends SecurityGroupManagerImpl{
                 }
             }
         } else {
-            if (s_logger.isTraceEnabled()) {
+            if (s_logger.isDebugEnabled()) {
                 if (vm != null)
-                    s_logger.trace("No rules sent to vm " + vm + "state=" + vm.getState());
+                    s_logger.debug("No rules sent to vm " + vm + "state=" + vm.getState());
                 else
-                    s_logger.trace("Could not find vm: No rules sent to vm " + userVmId );
+                    s_logger.debug("Could not find vm: No rules sent to vm " + userVmId );
             }
         }
     }
diff --git a/setup/db/create-schema.sql b/setup/db/create-schema.sql
index 9cf90e8f8d9..c66d25c68ea 100755
--- a/setup/db/create-schema.sql
+++ b/setup/db/create-schema.sql
@@ -1473,7 +1473,7 @@ CREATE TABLE `cloud`.`op_vm_ruleset_log` (
   `created` datetime NOT NULL COMMENT 'time the entry was requested',
   `logsequence` bigint unsigned  COMMENT 'seq number to be sent to agent, uniquely identifies ruleset update',
   PRIMARY KEY (`id`),
-  UNIQUE `i_op_vm_ruleset_log__instance_id`(`instance_id`)
+  UNIQUE `u_op_vm_ruleset_log__instance_id`(`instance_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `cloud`.`instance_group` (