A FreeBSD 8.2 HVM domU came to a crawl after fail2ban had been making use of the PF firewall.
SSH connections lagged heavily, mysql db connections took ages.

Solution - not entirely unknown ever since xen2 (but noone ever will just turn it off for their distro or teach Xen to probe for it better)

Disable TCP segmentation offloading

ifconfig xn0 -tso   #make permanent in rc.conf
sysctl -w net.inet.tcp.tso=0 #make permanent in sysctl.conf