VMware NSX Intelligence 1.0.1 | 19 DEC 2019 | Build 15188324
Check regularly for additions and updates to these release notes.
What's in the Release Notes
The release notes cover the following topics:
- Compatibility and System Requirements
- Available Languages
- API and CLI Resources
- Revision History
- Resolved Issues
- Known Issues
VMware NSX® Intelligence™ is an NSX analytics component introduced with the VMware NSX-T Data Center 2.5 release. NSX Intelligence provides a user interface via a single management pane within NSX Manager and provides the following features:
- Close to real-time flow information for workloads in your environment.
- NSX Intelligence correlates live or historic flows, user configurations, and workload inventory.
- Ability to view past information about flows, user configurations, and workload inventory.
- Automated micro-segmentation planning by recommending firewall rules, groups, and services.
Compatibility and System Requirements
For compatibility and system requirements information, see the Installing and Upgrading VMware NSX Intelligence document.
API and CLI Resources
NSX Intelligence has been localized into multiple languages: English, German, French, Japanese, Simplified Chinese, Korean, Traditional Chinese, and Spanish. Because NSX Intelligence localization utilizes the browser language settings, ensure that your settings match the desired language.
Document Revision History
07 April 2020. First edition. Created this separate NSX Intelligence 1.0.1 Release Notes using NSX Intelligence Known Issues and Resolved Issues information that were included in VMware NSX-T Data Center 2.5.1 Release Notes
30 July 2020. Added entry for fixed issue 2526083.
20 April 2021. Removed non-catastrophic known issues that have no known workarounds and are corner cases.
- Fixed Issue 2410806 - Publishing generated recommendation fails with exception citing 500 total limitation.
If the total number of members (IP addresses or VMs) in a recommended group exceeds 500, the publication of generated recommendation into a policy configuration will fail with an exception message such as:
"The total number of IPAdressExpressions, MACAddressExpressions, paths in a PathExpression and external IDs in ExternalIDExpression should not exceed 500."
- Fixed Issue 2526083 in NSX-T Data Center 2.5.2: Some NSX services might not function properly when the NSX Manager becomes disconnected from the NSX Intelligence appliance.
NSX Intelligence depends on this fixed issue, which is available beginning with the NSX-T Data Center 2.5.2 release.
In the System > Appliances page of the NSX Manager UI, the NSX Intelligence Appliance card displays an error or shows a status that the appliance appears to be stuck in the data fetching state.
The known issues are grouped as follows.NSX Intelligence Known Issues
- Issue 2362865 - Filter by Rule Name not available for default rule.
Observed in the Plan & Troubleshoot > Discover and Take Action page and affects only rules created by connectivity strategy. This issue is caused by the absence of a default policy based on the connectivity strategy specified. A default rule may be created on the management plane, but with no corresponding default policy, the user cannot filter based on that default rule. (The filter for flows visualization uses the rule name to filter by flows that hit that rule.)
Workaround: Do not apply a rule name filter. Instead, check the Unprotected flag. This configuration will include flows hitting the default rule as well as any rule that has "any" source and "any" destination specified.
- Issue 2389691 - Publish recommendation job fails with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
If you try to publish a single recommendation job that contains more than 2,000 objects, it will fail with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
Workaround: Reduce the number of objects to fewer than 2,000 in the recommendation job and retry the publication.
- Issue 2366630 - Delete transport node operation may fail when NSX intelligence appliance is deployed.
If a transport node is being deleted while the NSX Intelligence appliance is being deployed, the deletion can fail because the transport node is referred by NSX-INTELLIGENCE-GROUP NSGroup. To delete a transport node, the force delete option is required when NSX Intelligence appliance is deployed.
Workaround: Use the force option to delete the transport node.
- Issue 2393240 - Additional Flows are observed from VM to IP address.
Additional flows from VM to IP-xxxx are seen. This is due to the configuration data (Groups, VMs and services) when the NSX Policy manager reaches the NSX Intelligence appliance after the flow is created. Therefore the (earlier) flow cannot be correlated with the configuration, because it is non-existent from the flow perspective. Since the flow cannot be normally correlated, it defaults to IP-xxxx for its VM during flow lookup. After the configuration is synchronized, the actual VM flow appears.
Workaround: Modify the time window to exclude the flow you do want to see.
- Issue 2372657 - VM-GROUP relationship and GROUP-GROUP flow correlation temporarily display incorrectly.
VM-GROUP relationship and GROUP-GROUP flow correlation temporarily display incorrectly if the NSX Intelligence appliance is deployed while there are ongoing flows in the datacenter. Specifically, the following elements may display incorrectly during this temporary period:
- VMs wrongly belong to Uncategorized group.
- VMs wrongly belong to Unknown group.
- Correlated flows between two groups can be shown wrongly.
These errors will self-correct after the NSX Intelligence appliance has been deployed longer than the user-selected visualization period.
Workaround: None. If the user moves out of the Visualization period during which the NSX Intelligence appliance was deployed, the issue will not appear.
- Issue 2393142 - Logging in to NSX Manager with vIDM credentials may return a 403 unauthorized user error.
This only affects users logging in as vIDM users, as opposed to a local user, on NSX Manager. vIDM login and integration are not supported in NSX-T 2.5 when interacting with the NSX Intelligence appliance.
Workaround: Log in as a local user by appending the NSX Manager IP/FQDN with the string 'login.jsp?local=true'.
- Issue 2346545 - NSX Intelligence appliance: certificate replacement affects new flow information reporting.
If you replace the principal identity certificate for the NSX Intelligence appliance with a self-signed certificate, processing of new flows is affected and the appliance will not show updated information that point forward.
- Issue 2410224 - After completing NSX Intelligence appliance registration, refreshing view may return a 403 Forbidden error.
After completing NSX Intelligence appliance registration, if you click Refresh to View, the system may return a 403 Forbidden error. This is a temporary condition caused by the time required for the NSX Intelligence appliance to access the interface.
Workaround: If you receive this error, wait a few moments and try again.
- Issue 2436302 - After replacing the NSX-T unified appliance cluster certificate, NSX Intelligence cannot be accessed via API or the Manager interface.
In the NSX-T Manager interface, go to the Plan & Troubleshoot tab and click Discover & Take Action or Recommendations. The interface will not load and will eventually return an error like:
Failed to load requested application. Please try again or contact support if the problem persists.
Workaround: See VMware Knowledge Base article 76223 for more details and workaround.
- Issue 2374229 - NSX Intelligence appliance runs out of disk space.
The NSX Intelligence appliance has a default data retention period of 30 days. If the amount of flow data is larger than the anticipated amount within 30 days, the appliance might run out of disk space prematurely and become partially or completely non-operational.
Workaround: See VMware Knowledge Base article 76523 for more details and workaround.
- Issue 2376389 - VMs are incorrectly marked as deleted in 'Last 24 hours' view on mid-scale setup.
After a host is disconnected from compute managers, NSX Intelligence shows the previous VMs on the host as deleted, with new VMs in their place. This issue results from NSX Intelligence tracking inventory updates in the NSX database, and this behavior reflects how the inventory handles host disconnection from compute managers. This does not affect the total count of live VMs in NSX Intelligence, although you may see duplicate VMs in NSX Intelligence.
Workaround: No action required. The duplicate VMs will stop appearing after approximately 24 hours.
- Issue 2385599 - Groups of static IPs not supported in NSX-T Intelligence recommendations.
VMs and workloads that are not recognized in the NSX-T inventory, if they have intranet IP addresses, may be still be subject to recommendation as a group of static IPs, including recommendation-define rules containing these groups. However, NSX Intelligence does not support such groups and as a result, visualization shows traffic sent to them as sent to "Unknown" instead of the recommended group.
Workaround: None. However, recommendation is functioning correctly. This is a display issue.
- Issue 2407198 - VMs incorrectly appear in Uncategorized VMs group in NSX intelligence security posture.
When ESXi hosts are disconnected from vCenter, VMs in those hosts can be shown in "Uncategorized VMs" group even if they belong to other groups. When the ESXi hosts reconnected with vCenter, the VMs will appear in their correct groups.
Workaround: Reconnect the hosts to vCenter.
- Issue 2366599 - Rules for VMs with IPv6 addresses not enforced.
If a VM uses an IPv6 address, but IPv6 snooping is not enabled for that VIF via the IP discovery profile, the IPv6 address is not populated in the rule for that VM in the data path. As a result, that rule is never enforced.
Workaround: Verify that IPv6 discovery profile is enabled at either the VIF or logical switch whenever IPv6 addresses are used.
- Issue 2357296 - Flows may not be reported to NSX Intelligence by some ESX hosts under certain scale and stress conditions.
The NSX Intelligence interface may not show flows from certain VMs on certain hosts, and fails to provide firewall rule recommendations for those VMs. As a result, firewall security could be compromised on some hosts. This is observed in deployments with vSphere versions below 6.7U2 and 6.5U3. The problem is identified as core ESX hypervisor VM filter creation and deletion out of order.
Workaround: Upgrade host to version vSphere 6.7U2 and above or vSphere 6.5U3 and above.
- Issue 2456118 - Error accessing NSX Intelligence.
When loading the "Plan & Troubleshoot" page in NSX-T Data Center, you may see one or more of the following:
- The Application server fails to fulfill request.
- The NSX-T Intelligence agent rejects any admin user attempts.
- You get the error: Failed to load requested application. Please try refreshing the browser or contact support if the problem persists.
Workaround: See VMware Knowledge Base article 76223 for more details.
- Issue 2508429: Only Base64-encoded certificate files are supported in NSX Intelligence 1.0.1. Extra attributes that are part of a PEM-encoded certificate are not allowed.
"Bag attributes" in certificate files are not accepted in NSX Intelligence 1.0.1. Only Base64 encoding is supported in NSX Intelligence 1.0.1.
Workaround: See VMware Knowledge Base article 78048 for more details and workaround.