VMware NSX Intelligence 1.0.0   |  19 September 2019  

Check regularly for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

Introduction

VMware NSX® Intelligence™ is a new NSX analytics component introduced with the VMware NSX-T Data Center 2.5 release. NSX Intelligence provides a user interface via a single management pane within NSX Manager, and provides the following features:

  • Close to real-time flow information for workloads in your environment.
  • NSX Intelligence correlates live or historic flows, user configurations, and workload inventory.
  • Ability to view past information about flows, user configurations, and workload inventory.
  • Automated micro-segmentation planning by recommending firewall rules, groups, and services.

Compatibility and System Requirements

For compatibility and system requirements information, see the Installing and Upgrading VMware NSX Intelligence document.

API and CLI Resources

See NSX-T Data Center REST API or NSX-T Data Center CLI in code.vmware.com for information available for NSX Intelligence REST API and CLI resources.

Available Languages

NSX-T Data Center has been localized into multiple languages: English, German, French, Japanese, Simplified Chinese, Korean, Traditional Chinese, and Spanish. Because NSX-T Data Center localization utilizes the browser language settings, ensure that your settings match the desired language.

Document Revision History

07 April 2020. Created this separate NSX Intelligence 1.0.0 Release Notes using  Known Issues information included in VMware NSX-T Data Center 2.5.0 Release Notes. 
20 April 2021. Removed non-catastrophic known issues that have no known workarounds and are corner cases.

Known Issues

The known issues are grouped as follows.

NSX Intelligence Known Issues
  • Issue 2410806 - Publishing generated recommendation fails with exception citing 500 total limitation.

    If the total number of members (IP addresses or VMs) in a recommended group exceeds 500, the publication of generated recommendation into a policy configuration will fail with an exception message such as "The total of IPAdressExpressions, MACAddressExpressions, paths in a PathExpression and external IDs in ExternalIDExpression should not exceed 500."

    Workaround: If there are scenarios where 500-plus clients are connecting to the application VM or load balancer, you can create a rule to micro-segment access to the application load balancer, then select the application VMs to start recommendation discovery. In the alternative, you can subdivide the 500-plus member group into multiple, smaller groups.

  • Issue 2362865 - Filter by Rule Name not available for default rule.

    Observed in the Plan & Troubleshoot > Discover and Take Action page and affects only rules created by connectivity strategy. This issue is caused by the absence of a default policy based on the connectivity strategy specified. A default rule may be created on the management plane, but with no corresponding default policy, the user cannot filter based on that default rule. (The filter for flows visualization uses the rule name to filter by flows that hit that rule.)

    Workaround: Do not apply a rule name filter. Instead, check the Unprotected flag. This configuration will include flows hitting the default rule as well as any rule that has "any" source and "any" destination specified.

  • Issue 2385599 - Groups of static IPs not supported in NSX-T Intelligence recommendations.

    VMs and workloads that are not recognized in the NSX-T inventory, if they have intranet IP addresses, may be still be subject to recommendation as a group of static IPs, including recommendation-define rules containing these groups. However, NSX Intelligence does not support such groups and as a result, visualization shows traffic sent to them as sent to "Unknown" instead of the recommended group.

    Workaround: None. However, recommendation is functioning correctly. This is a display issue.

  • Issue 2374229 - NSX Intelligence appliance runs out of disk space.

    The NSX Intelligence appliance has a default data retention period of 30 days. If the amount of flow data is larger than anticipated amount within 30 days, the appliance might run out of disk space prematurely and become partially or completely non-operational.

    Workaround: This can be prevented or mitigated by monitoring the disk usage of the NSX Intelligence appliance. If disk usage is being utilized at a high rate that indicates that space might run out, you can modify so the data retention period to a fewer number of days.

    1. SSH into the NSX Intelligence appliance and access the /opt/vmware/pace/druid-config/druid_data_retention.properties file.
    2. Locate and change the correlated_flow setting to a value lower than 30 days. For example: correlated_flow=P14D
    3. Save the file and apply the changes by running the following command:
      /opt/vmware/pace/druid-config/druid-config-data-retention.sh
      NOTE: It may require up to two hours for the data to be physically deleted.
  • Issue 2389691 - Publish recommendation job fails with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."

    If you try to publish a single recommendation job that contains more than 2,000 objects, it will fail with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."

    Workaround: Reduce the number of objects to fewer than 2,000 in then recommendation job and retry the publication.

  • Issue 2376389 - VMs are incorrectly marked as deleted in 'Last 24 hours' view on mid-scale setup.

    After a transport node is disconnected or removed from the compute manager, NSX Intelligence shows the previous VMs as deleted, with new VMs in their place. This issue results from NSX Intelligence tracking inventory updates in the NSX database, and this behavior reflects how the inventory handles transport node disconnection from the compute manager. This does not affect the total count of live VMs in NSX Intelligence, although you may see duplicate VMs in NSX Intelligence.

    Workaround: No action required. Duplicate VMs are eventually removed from the interface depending on the selected time interval.

  • Issue 2393240 - Additional Flows are observed from VM to IP address.

    Customer sees additional flows from VM to IP-xxxx. This is due to the configuration data (Groups, VMs and services) from the NSX Policy manager reaches the NSX Intelligence appliance after the flow is created. Therefore the (earlier) flow cannot be correlated with the configuration, because it is non-existent from the flow perspective. Since the flow cannot be normally correlated, it defaults to IP-xxxx for its VM during flow lookup. After the configuration is synchronized, the actual VM flow appears.

    Workaround: Modify the time window to exclude the flow you do want to see.

  • Issue 2372657 - VM-GROUP relationship and GROUP-GROUP flow correlation temporarily display incorrectly.

    VM-GROUP relationship and GROUP-GROUP flow correlation temporarily display incorrectly if the NSX Intelligence appliance is deployed while there are ongoing flows in the datacenter. Specifically, the following elements may display incorrectly during this temporary period:

    • VMs wrongly belong to Uncategorized group.
    • VMs wrongly belong to Unknown group.
    • Correlated flows between two groups can be shown wrongly.

    These errors will self-correct after the NSX Intelligence appliance has been deployed longer than the user-selected visualization period.

    Workaround: None. If the user moves out of the Visualization period during which the NSX Intelligence appliance was deployed, the issue will not appear.

  • Issue 2366630 - Delete transport node operation may fail when NSX intelligence appliance is deployed.

    If a transport node is being deleted while the NSX Intelligence appliance is being deployed, the deletion can fail because the transport node is referred by NSX-INTELLIGENCE-GROUP NSGroup. To delete a transport node, the force delete option is required when NSX Intelligence appliance is deployed.

    Workaround: Use the force option to delete the transport node.

  • Issue 2357296 - Flows may not be reported to NSX Intelligence by some ESX hosts under certain scale and stress conditions.

    The NSX Intelligence interface may not show flows from certain VMs on certain hosts, and fails to provide firewall rule recommendations for those VMs. As a result, firewall security could be compromised on some hosts. This is observed in deployments with vSphere versions below 6.7U2 and 6.5U3. The problem is identified as core ESX hypervisor VM filter creation and deletion out of order.

    Workaround: Upgrade host to version vSphere 6.7U2 and above or vSphere 6.5U3 and above.

  • Issue 2393142 - Logging in to NSX Manager with vIDM credentials may return a 403 unauthorized user error.

    This only affects users logging in as vIDM users, as opposed to a local user, on NSX Manager. vIDM login and integration are not supported in NSX-T 2.5 when interacting with the NSX Intelligence appliance.

    Workaround: Log in as a local user by appending the NSX Manager IP/FQDN with the string 'login.jsp?local=true'.

  • Issue 2346545 - NSX Intelligence appliance: certificate replacement affects new flow information reporting.

    If the user replaces the principal identity certificate for the NSX Intelligence appliance with a self-signed certificate, processing of new flows is affected and the appliance will not show updated information that point forward.

    Workaround: None.

  • Issue 2407198 - VMs incorrectly appear in Uncategorized VMs group in NSX intelligence security posture.

    When ESXi hosts are disconnected from vCenter, VMs in those hosts can be shown in "Uncategorized VMs" group even if they belong to other groups. When the ESXi hosts reconnected with vCenter, the VMs will appear in their correct groups.

    Workaround: Reconnect the hosts to vCenter.

  • Issue 2410224 - After completing NSX Intelligence appliance registration, refreshing view may return a 403 Forbidden error.

    After completing NSX Intelligence appliance registration, if you click Refresh to View, the system may return a 403 Forbidden error. This is a temporary condition caused by the time required for the NSX Intelligence appliance requires to access the interface.

    Workaround: If you receive this error, wait a few moments and try again.

  • Issue 2436302 - After replacing the NSX-T unified appliance cluster certificate, NSX Intelligence cannot be accessed via API or the Manager interface.

    In the NSX-T Manager interface, go to the Plan & Troubleshoot tab and click on Discover & Take Action or Recommendations. The interface will not load and will eventually return an error like: Failed to load requested application. Please try again or contact support if the problem persists.

    Workaround: See Knowledge Base article 76223 for more details and workaround.

check-circle-line exclamation-circle-line close-line
Scroll to top icon