VMware NSX Intelligence 1.1.0 | 07 APR 2020 | Build 15918914
Check regularly for additions and updates to these release notes.
VMware NSX® Intelligence™ is a distributed analytics engine that leverages granular workload and network context unique to NSX to deliver converged security policy management, analytics, and compliance with data center–wide visibility. NSX Intelligence provides a user interface via a single management pane within NSX Manager and provides the following features:
- Real-time flow visibility for workloads in your environment.
- NSX Intelligence correlates live or historic flows, user configurations, and workload inventory.
- Ability to view past information about flows, user configurations, and workload inventory.
- Automated micro-segmentation planning by recommending firewall rules, groups, and services.
What's in the Release Notes
The release notes cover the following topics:
- What's New
- System Requirements
- Compatibility Notes
- Available Languages
- API and CLI Resources
- Revision History
- Resolved Issues
- Known Issues
NSX Intelligence 1.1.0 provides the following new features for real-time flow visualizations and firewall rule planning.
NSX Intelligence Visualizations
- Search Enhancements - Adds more search filters for Groups, VMs, and Flow information. NSX global search results now include insights from NSX Intelligence, by using keywords "flows" and "recommendations".
- UI Performance and Layout Improvements - Improves the initial UI load times and immediate refresh as things change.
- Public vs Private IP Range Settings - Allows you to specify the CIDR notations that is used by NSX Intelligence to classify when an IP address is a private or a public IP address. Any IP address that does not belong to any of specified CIDR notations is classified as a public IP address.
- Flow Visualization - Shows L4 port/protocol on the flow line and increased IP to VM mapping visualization.
NSX Intelligence Recommendations
- Use of Groups in Recommendation Inputs - Provides the ability to start recommendations for a Group, in addition to prior support for VMs. This includes support to start recommendation for a group of effective VM members. Using a group as the recommendation input requires NSX-T Data Center 3.0.0.
- Micro-Segmentation Recommendation Outputs - Provides a choice of a group of IP addresses, in addition to prior support for a group of VMs.
- Continuous Recommendations - Provides a choice of on-demand or continuous monitoring for recommendation sessions. When continuous monitoring is enabled on a group, NSX Intelligence will generate new recommendations upon detecting VM membership changes in the group.
NSX Intelligence Platform
- Installation of NSX Intelligence From a Local File System - Provides ability to install NSX Intelligence appliance from local file system or web server. Installation from a local file system requires NSX-T Data Center 3.0.0.
- Alarms for NSX Intelligence - Provides alarms for NSX Intelligence system health (CPU, Memory, Disk, Node Health) and its communication to NSX Manager components. This feature requires NSX-T Data Center 3.0.0.
- Support Bundle for NSX Intelligence - Enables user to include NSX Intelligence logs in the NSX Support Bundle with UI support.
- Upgrade Improvements for NSX Intelligence - Improves pre-upgrade and post-upgrade checks for NSX Intelligence, with UI support available within Upgrade Coordinator.
- Authentication and Authorization - Provides RBAC multi-role support for NSX Intelligence functionality and support for both vIDM and LDAP. Authenticating with LDAP requires NSX-T 3.0.0.
- For system requirements information, see the Installing and Upgrading VMware NSX Intelligence document.
- For information about ports and protocols required for NSX Intelligence, see VMware Ports and Protocols at https://ports.vmware.com/home/NSX-Intelligence.
- For NSX Intelligence and NSX-T Data Center interoperability information, see VMware Product Interoperability Matrices.
- NSX Intelligence does not support Kubernetes Pods, Namespace, or Cluster visualization.
- NSX Intelligence does not support NSX Federation deployments. For deployments with NSX Federation, if an NSX Intelligence instance is deployed with the Local Manager on a specific site, you will see groups and flows from the Global Manager. However, the visualization will not reflect specifics from other sites. NSX Intelligence recommendations will also not function across various sites because NSX Intelligence does not integrate with the Global Manager of NSX-T Data Center.
- When installing the NSX Intelligence 1.1.0 appliance using NSX-T Data Center 2.5.x, you must use the instructions provided for the NSX Intelligence 1.0.x release, which was released with NSX-T Data Center 2.5.x. See Download and Unpack the NSX Intelligence Installer Bundle and Install the NSX Intelligence Appliance. You can use the same commands to unpack the NSX Intelligence 1.1.0 installer OVA file that you download from the VMware Products Download portal.
API and CLI Resources
NSX Intelligence has been localized into multiple languages: English, German, French, Japanese, Simplified Chinese, Korean, Traditional Chinese, and Spanish. Because NSX Intelligence localization utilizes the browser language settings, ensure that your settings match the desired language.
Document Revision History
07 April 2020. First edition.
09 April 2020. Added Known Issue 2543655.
- Fixed Issue 2346545 - NSX Intelligence appliance: certificate replacement affects new flow information reporting.
If you replace the principal identity certificate for the NSX Intelligence appliance with a self-signed certificate, processing of new flows is affected and the appliance will not show updated information that point forward.
- Fixed Issue 2508429: Only Base64-encoded certificate files are supported in NSX Intelligence 1.0.1. Extra attributes that are part of a PEM-encoded certificate are not allowed.
"Bag attributes" in certificate files are not accepted in NSX Intelligence 1.0.1. Only Base64 encoding is supported in NSX Intelligence 1.0.1.
- Fixed Issue 2372657 - VM-GROUP relationship and GROUP-GROUP flow correlation temporarily display incorrectly.
VM-GROUP relationship and GROUP-GROUP flow correlation temporarily display incorrectly if the NSX Intelligence appliance is deployed while there are ongoing flows in the datacenter. Specifically, the following elements may display incorrectly during this temporary period:
- VMs wrongly belong to Uncategorized group.
- VMs wrongly belong to Unknown group.
- Correlated flows between two groups can be shown wrongly.
These errors will self-correct after the NSX Intelligence appliance has been deployed longer than the user-selected visualization period.
- Fixed Issue 2407198 - VMs incorrectly appear in Uncategorized VMs group in NSX intelligence security posture
When ESXi hosts are disconnected from vCenter, VMs in those hosts can be shown in "Uncategorized VMs" group even if they belong to other groups. When the ESXi hosts reconnected with vCenter, the VMs will appear in their correct groups.
- Fixed Issue 2436302 - After replacing the NSX-T unified appliance cluster certificate, NSX Intelligence cannot be accessed via API or the Manager interface.
In the NSX-T Manager interface, go to the Plan & Troubleshoot tab and click Discover & Take Action or Recommendations. The interface will not load and will eventually return an error like: Failed to load requested application. Please try again or contact support if the problem persists.
- Fixed Issue 2393142 - Logging in to NSX Manager with vIDM credentials may return a 403 unauthorized user error.
This only affects users logging in as vIDM users, as opposed to a local user, on NSX Manager. vIDM login and integration are not supported in NSX-T 2.5 when interacting with the NSX Intelligence appliance.
- Fixed Issue 2357296 - Flows may not be reported to NSX Intelligence by some ESX hosts under certain scale and stress conditions.
The NSX Intelligence interface may not show flows from certain VMs on certain hosts, and fails to provide firewall rule recommendations for those VMs. As a result, firewall security could be compromised on some hosts. This is observed in deployments with vSphere versions below 6.7U2 and 6.5U3. The problem is identified as core ESX hypervisor VM filter creation and deletion out of order.
- Issue 2456118 - Error accessing NSX Intelligence.
When loading the "Plan & Troubleshoot" page in NSX-T Data Center, you may see one or more of the following:
- The Application server fails to fulfill request.
- The NSX-T Intelligence agent rejects any admin user attempts.
- You get the error: Failed to load requested application. Please try refreshing the browser or contact support if the problem persists.
- Fixed Issue 2362865 - Filter by Rule Name not available for default rule.
Observed in the Plan & Troubleshoot > Discover and Take Action page and affects only rules created by connectivity strategy. This issue is caused by the absence of a default policy based on the connectivity strategy specified. A default rule may be created on the management plane, but with no corresponding default policy, the user cannot filter based on that default rule. (The filter for flows visualization uses the rule name to filter by flows that hit that rule.)
- Fixed Issue 2376389 - VMs are incorrectly marked as deleted in 'Last 24 hours' view on mid-scale setup.
After a host is disconnected from compute managers, NSX Intelligence shows the previous VMs on the host as deleted, with new VMs in their place. This issue results from NSX Intelligence tracking inventory updates in the NSX database, and this behavior reflects how the inventory handles host disconnection from compute managers. This does not affect the total count of live VMs in NSX Intelligence, although you may see duplicate VMs in NSX Intelligence.
- Issue 2368926 - Recommendations job fails if user reboots appliance while job is in progress.
If you reboot the NSX Intelligence appliance while a recommendations job is in progress, the job goes to a failed state. You can start a recommendation job for a set of context VMs. The reboot deletes the context and the job fails as a result.
Workaround: After reboot, repeat the recommendations job for the same set of VMs.
- Issue 2369802 - NSX Intelligence appliance backup excludes event/flows datastore backup.
This functionality is not supported in NSX Intelligence versions 1.0.x and 1.1.x.
- Issue 2389691 - Publish recommendation job fails with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
If you try to publish a single recommendation job that contains more than 2,000 objects, it will fail with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
Workaround: Reduce the number of objects to fewer than 2,000 in the recommendation job and retry the publication.
- Issues 2396630 and 2533563 - Delete transport node operation may fail when NSX intelligence appliance is deployed.
If a transport node is being deleted while the NSX Intelligence appliance is being deployed, the deletion can fail because the transport node is referred by NSX-INTELLIGENCE-GROUP NSGroup. To delete a transport node, the force delete option is required when NSX Intelligence appliance is deployed.
Workaround: Use the force option to delete the transport node.
- Issue 2393240 - Additional Flows are observed from VM to IP address.
Additional flows from VM to IP-xxxx are seen. This is due to the configuration data (Groups, VMs and services) when the NSX Policy manager reaches the NSX Intelligence appliance after the flow is created. Therefore the (earlier) flow cannot be correlated with the configuration, because it is non-existent from the flow perspective. Since the flow cannot be normally correlated, it defaults to IP-xxxx for its VM during flow lookup. After the configuration is synchronized, the actual VM flow appears.
Workaround: Modify the time window to exclude the flow you do want to see.
- Issue 2370660 - NSX Intelligence shows inconsistent data for specific VMs.
This is likely caused by those VMs having the same IP address in the datacenter. This is not supported by NSX Intelligence in NSX-T 2.5.
Workaround: None. Avoid assigning the same IP address to two VMs in the datacenter.
- Issue 2410224 - After completing NSX Intelligence appliance registration, refreshing view may return a 403 Forbidden error.
After completing NSX Intelligence appliance registration, if you click Refresh to View, the system may return a 403 Forbidden error. This is a temporary condition caused by the time required for the NSX Intelligence appliance to access the interface.
Workaround: If you receive this error, wait a few moments and try again.
- Issue 2374229 - NSX Intelligence appliance runs out of disk space.
The NSX Intelligence appliance has a default data retention period of 30 days. If the amount of flow data is larger than the anticipated amount within 30 days, the appliance might run out of disk space prematurely and become partially or completely non-operational.
Workaround: See Knowledge Base article 76523 for more details and workaround.
- Issue 2385599 - Groups of static IPs not supported in NSX-T Intelligence recommendations.
VMs and workloads that are not recognized in the NSX-T inventory, if they have intranet IP addresses, may be still be subject to recommendation as a group of static IPs, including recommendation-define rules containing these groups. However, NSX Intelligence does not support such groups and as a result, visualization shows traffic sent to them as sent to "Unknown" instead of the recommended group.
Workaround: None. However, recommendation is functioning correctly. This is a display issue.
- Issue 2366599 - Rules for VMs with IPv6 addresses not enforced.
If a VM uses an IPv6 address, but IPv6 snooping is not enabled for that VIF via the IP discovery profile, the IPv6 address is not populated in the rule for that VM in the data path. As a result, that rule is never enforced.
Workaround: Verify that IPv6 discovery profile is enabled at either the VIF or logical switch whenever IPv6 addresses are used.
- Issue 2374231 - Port scan with nmap tool generates flow with service as UNKNOWN and port as 0.
NSX Intelligence does not support source or destination port parsing for GRE, ESP, and SCTP protocol flows. NSX Intelligence provides full header parsing for TCP and UDP flows along with flow related statistics. For other supported protocols (such as GRE, ESP, and SCTP) NSX Intelligence can only provide IP information without protocol specific source or destination ports. For these protocols, the source or destination port will be zero.
- Issue 2410096 - After rebooting the NSX Intelligence appliance, flows collected in the last 10 minutes prior to reboot may not be displayed.
This is caused by an indexing issue.
- Issue 2538573 - Some persistent load situation might cause recommendations to be in the Waiting state for a long time, or the VMs/Groups views to not work.
If there is a persistent high load on the NSX Intelligence appliance, you might see 1 or more recommendations to be in the Waiting state for a long time, or the VMs/Groups views to not function as expected.
Workaround: Restart the pace-server service.
- Log in to the NSX Intelligence appliance as 'root' user.
- At the command prompt, type the following command.
systemctl restart pace-server.service
- Issue 2521825 - Federation is not supported in NSX Intelligence.
When deploying NSX Intelligence with the Local Manager, any configuration pushed down from the Global Manager may not be visualized correctly. Recommendations for a configuration pushed from Global Manager will not be accurate, since the Recommendation feature can only take locally managed objects as input and doesn't recommend or publish rules to the Global Manager.
- Issue 2531845 - Group visualization is incorrect immediately after upgrading the NSX Intelligence appliance.
After upgrading NSX Intelligence from version 1.0.x to version 1.1, the Groups view displays an Uncategorized group with a large and incorrect number of VM members.
Workaround: Wait at least 1 hour after you upgrade NSX Intelligence from version 1.0.x to version 1.1 before using the NSX Intelligence features.
- Issue 2539217 - LDAP users who are not part of any LDAP group are unable to access the NSX Intelligence UI
LDAP users who are not part of any LDAP group cannot access the NSX Intelligence user interface, even when they have roles assigned in NSX-T Data Center.
Workaround: Users can assign roles to LDAP groups or assign roles to users that are part of LDAP groups only.
- Issue 2529161 - Using the same SFTP folder for backing up an NSX-T cluster, an NSX Intelligence node, and a Global Manager cluster results in a mixed list of backups.
If an SFTP folder is shared between an NSX-T cluster, an NSX Intelligence node, and a Global Manager cluster, then a mixed list of all the backups that were generated using those clusters are listed in the NSX Intelligence Backup user interface. Only backups generated by NSX Intelligence should be listed.
Workaround: Use a unique SFTP folder when backing up each of the NSX-T cluster, NSX Intelligence appliance, or Global Manager cluster.
- Issue 2537740 - Upgrading NSX Intelligence 1.0.0 to version 1.0.1 causes configuration synchronization and data collection to be impacted.
If you upgrade NSX Intelligence 1.0.0 to version 1.0.1 and to version 1.1.0, the NSX Manager Unified Appliance configuration information is not updated on the NSX Intelligence appliance. In addition, data collection might also be disrupted. For example, new groups or VMs created after the NSX Intelligence upgrades might not be reflected in the NSX Intelligence UI.
Workaround: After completing the upgrade from NSX Intelligence 1.0.0 to version 1.0.1, perform the following steps before proceeding to upgrade to NSX Intelligence 1.1.
- Log in to the NSX Intelligence appliance as 'root' user.
- Execute the following commands on the NSX Intelligence appliance command prompt.
export TRUSTLINK="/home/secureall/secureall/.store/.kafka_broker_truststore" export TRUSTFILE=$(ls -t /home/secureall/secureall/.store/.kafka_broker_truststore.* | head -1) rm $TRUSTLINK ln -s $TRUSTFILE $TRUSTLINK chown unsxconfig:gproxycert $TRUSTLINK chown --no-dereference unsxconfig:gproxycert $TRUSTLINK chmod 660 $TRUSTLINK
- Restart the kafka and nsx-config services.
systemctl restart kafka systemctl restart nsx-config
Proceed with the upgrading to NSX Intelligence 1.1.0.
- Issue 2523316 - The NSX Manager user session is lost while the NSX Intelligence services are being restarted during an NSX Intelligence restore operation.
While the NSX Intelligence services are being restarted at the end of an NSX Intelligence restore operation, the current NSX Manager user session is terminated.
Workaround: Log in to NSX Manager again.
- Issue 2536593 - The Recommended Action information provided for a Certificate Expired alarm event is not accurate for NSX Intelligence.
If the Certificate Expired alarm event occurs, using the information provided in the Recommended Action does not resolve the alarm on the NSX Intelligence appliance.
- Issue 2543655 - SSL handshake failure might occur between a transport node and a Kafka Broker in NSX Intelligence.
If flow and context information are missing from a transport node, incorrect information might appear in the NSX Intelligence visualization shown on the NSX Manager user interface. In the /var/log/kafka/server.log file, you might see a continuous logging of the SSL handshake failed error message.
Workaround: Restart the Kafka Broker service using the following steps.
- Log in to the NSX Intelligence appliance using the CLI admin credentials.
- From the NSX Intelligence command line, use the following command.
restart service kafka