Looking at your configuration, I have a few comments:
Since you can ping the VIP successfully, this means that the routing path from client-to-CSM-to-server is working, as is server-to-CSM-to-client. I know this because your vserver is only layer-3. It is only looking for traffic destined to the VIP. So your ping to the VIP is actually being load balanced to one of the servers, and the server load balanced to is actually replying to the ICMP Request with an ICMP Reply. The only way this could work is if the CSM is properly performing the load balancing and required NAT'ing.
With that said, since the CSM is only looking at the source and destination addresses for load balancing and NAT'ing, it doesn't matter whether it is ICMP or TCP to the CSM. Therefore, I think your problem may not be with the CSM, but rather with the firewall or the servers themselves. For the primary issue that you are looking for an answer, you may need to get a capture to see exactly where the connection fails. I would recommend setting up a SPAN on the Catalyst and make the monitor session's source interface the port-channel of the CSM, which will be 256 plus the slot number of the CSM. For example, if the CSM is in slot 3, then the source interface of the SPAN will be Po259. Now you'll capture both client side and server side traffic of the connection through the CSM in a single capture.
You have two gateways configured, and since the server VLAN is only layer 2, I cannot see why you would need the gateway on VLAN 172. Unless you have a compelling reason to have it, it should be removed.
You have route-health injection configured under the vserver. Since the VIP is on the same IP subnet as the VLAN 170 interface on the switch, this is not needed.
The CSM does not support GLBP for its gateway. You may get it to work, but it may produce unpredictable results. You should change that interface on the switch to use HSRP instead of GLBP.
The CSM uses the source MAC address of the packets to determine which gateway the server reply should be sent to. The CSM does not like seeing duplicate MAC addresses which is what happens due to the nature of GLBP.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...