VMware NSX Intelligence 1.1.1 | 23 JUN 2020 | Build 16275202
Check regularly for additions and updates to these release notes.
VMware NSX® Intelligence™ is a distributed analytics engine that leverages granular workload and network context unique to NSX to deliver converged security policy management, analytics, and compliance with data center–wide visibility. NSX Intelligence provides a user interface via a single management pane within NSX Manager and provides the following features:
- Real-time flow visibility for workloads in your environment.
- NSX Intelligence correlates live or historic flows, user configurations, and workload inventory.
- Ability to view past information about flows, user configurations, and workload inventory.
- Automated micro-segmentation planning by recommending firewall rules, groups, and services.
What's in the Release Notes
The release notes cover the following topics:
- What's New
- System Requirements
- Compatibility Notes
- Available Languages
- API and CLI Resources
- Revision History
- Resolved Issues
- Known Issues
What's New in This Release
NSX Intelligence 1.1.1 is a maintenance release and there are no major or minor features, functional enhancements, or extensions.
For information about new features released in the NSX Intelligence 1.1.0 release, see the VMware NSX Intelligence 1.1.0 Release Notes.
Resolved and New Known Issues
- This release fixes issues documented in the Resolved Issues section.
- For system requirements information, see the Installing and Upgrading VMware NSX Intelligence document.
- For information about ports and protocols required for NSX Intelligence, see VMware Ports and Protocols at https://ports.vmware.com/home/NSX-Intelligence.
- For NSX Intelligence and NSX-T Data Center interoperability information, see VMware Product Interoperability Matrices.
- NSX Intelligence does not support Kubernetes Pods, Namespace, or Cluster visualization.
- NSX Intelligence does not support NSX Federation deployments. For deployments with NSX Federation, if an NSX Intelligence instance is deployed with the Local Manager on a specific site, you will see groups and flows from the Global Manager. However, the visualization will not reflect specifics from other sites. NSX Intelligence recommendations will also not function across various sites because NSX Intelligence does not integrate with the Global Manager of NSX-T Data Center.
- When installing the NSX Intelligence 1.1.0 appliance using NSX-T Data Center 2.5.x, you must use the instructions provided for the NSX Intelligence 1.0.x release, which was released with NSX-T Data Center 2.5.x. See Download and Unpack the NSX Intelligence Installer Bundle and Install the NSX Intelligence Appliance. You can use the same commands to unpack the NSX Intelligence 1.1.0 installer OVA file that you download from the VMware Products Download portal.
API and CLI Resources
NSX Intelligence has been localized into multiple languages: English, German, French, Japanese, Simplified Chinese, Korean, Traditional Chinese, and Spanish. Because NSX Intelligence localization utilizes the browser language settings, ensure that your settings match the desired language.
Document Revision History
09 June 2020. First edition.
17 Sept 2020. Second edition. Moved fixed issue 2570302 to Resolved Issues section.
- Fixed Issues 2538573 and 2543162 - Some persistent load situation might cause recommendations to be in the Waiting state for a long time, or the VMs/Groups views to not work.
If there is a persistent high load on the NSX Intelligence appliance, you might see 1 or more recommendations to be in the Waiting state for a long time, or the VMs/Groups views to not function as expected.
- Fixed Issue 2537740 - Upgrading NSX Intelligence 1.0.0 to version 1.0.1 causes configuration synchronization and data collection to be impacted.
If you upgrade NSX Intelligence 1.0.0 to version 1.0.1 and to version 1.1.0, the NSX Manager Unified Appliance configuration information is not updated on the NSX Intelligence appliance. In addition, data collection might also be disrupted. For example, new groups or VMs created after the NSX Intelligence upgrades might not be reflected in the NSX Intelligence UI.
- Fixed Issue 2523316 - The NSX Manager user session is lost while the NSX Intelligence services are being restarted during an NSX Intelligence restore operation.
While the NSX Intelligence services are being restarted at the end of an NSX Intelligence restore operation, the current NSX Manager user session is terminated.
- Fixed Issue 2570302 in NSX-T Data Center 3.0.2: NSX API /api/v1/intelligence/host-config can return a 500 error code.
When you invoke the NSX API /api/v1/intelligence/host-config, it can return a 500 error code with the error message "Multiple NSX Intelligence host configuration is found in the system. Only one configuration is expected."
- Fixed Issue 2526083 in NSX-T Data Center 3.0.1: Some NSX services might not function properly when the NSX Manager becomes disconnected from the NSX Intelligence appliance.
NSX Intelligence depends on this fixed issue, which is available beginning with the NSX-T Data Center 3.0.1 release.
In the System > Appliances page of the NSX Manager UI, the NSX Intelligence Appliance card displays an error or shows a status that the appliance appears to be stuck in the data fetching state.
- Issue 2368926 - Recommendations job fails if user reboots appliance while job is in progress.
If you reboot the NSX Intelligence appliance while a recommendations job is in progress, the job goes to a failed state. You can start a recommendation job for a set of context VMs. The reboot deletes the context and the job fails as a result.
Workaround: After reboot, repeat the recommendations job for the same set of VMs.
- Issues 2396630 and 2533563 - Delete transport node operation may fail when NSX intelligence appliance is deployed.
If a transport node is being deleted while the NSX Intelligence appliance is being deployed, the deletion can fail because the transport node is referred by NSX-INTELLIGENCE-GROUP NSGroup. To delete a transport node, the force delete option is required when NSX Intelligence appliance is deployed.
Workaround: Use the force option to delete the transport node.
- Issue 2521825 - Federation is not supported in NSX Intelligence.
When deploying NSX Intelligence with the Local Manager, any configuration pushed down from the Global Manager may not be visualized correctly. Recommendations for a configuration pushed from Global Manager will not be accurate, since the Recommendation feature can only take locally managed objects as input and doesn't recommend or publish rules to the Global Manager.
- Issue 2369802 - NSX Intelligence appliance backup excludes event/flows datastore backup.
This functionality is not supported in NSX Intelligence versions 1.0.x and 1.1.x.
- Issue 2389691 - Publish recommendation job fails with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
If you try to publish a single recommendation job that contains more than 2,000 objects, it will fail with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
Workaround: Reduce the number of objects to fewer than 2,000 in the recommendation job and retry the publication.
- Issue 2393240 - Additional Flows are observed from VM to IP address.
Additional flows from VM to IP-xxxx are seen. This is due to the configuration data (Groups, VMs and services) when the NSX Policy manager reaches the NSX Intelligence appliance after the flow is created. Therefore the (earlier) flow cannot be correlated with the configuration, because it is non-existent from the flow perspective. Since the flow cannot be normally correlated, it defaults to IP-xxxx for its VM during flow lookup. After the configuration is synchronized, the actual VM flow appears.
Workaround: Modify the time window to exclude the flow you do want to see.
- Issue 2370660 - NSX Intelligence shows inconsistent data for specific VMs.
This is likely caused by those VMs having the same IP address in the data center. This is not supported by NSX Intelligence in NSX-T 2.5.
Workaround: None. Avoid assigning the same IP address to two VMs in the data center.
- Issue 2410224 - After completing NSX Intelligence appliance registration, refreshing view may return a 403 Forbidden error.
After completing NSX Intelligence appliance registration, if you click Refresh to View, the system may return a 403 Forbidden error. This is a temporary condition caused by the time required for the NSX Intelligence appliance to access the interface.
Workaround: If you receive this error, wait a few moments and try again.
- Issue 2374229 - NSX Intelligence appliance runs out of disk space.
The NSX Intelligence appliance has a default data retention period of 30 days. If the amount of flow data is larger than the anticipated amount within 30 days, the appliance might run out of disk space prematurely and become partially or completely non-operational.
Workaround: See Knowledge Base article 76523 for more details and workaround.
- Issue 2385599 - Groups of static IPs not supported in NSX-T Intelligence recommendations.
VMs and workloads that are not recognized in the NSX-T inventory, if they have intranet IP addresses, may be still be subject to recommendation as a group of static IPs, including recommendation-define rules containing these groups. However, NSX Intelligence does not support such groups and as a result, visualization shows traffic sent to them as sent to "Unknown" instead of the recommended group.
Workaround: None. However, recommendation is functioning correctly. This is a display issue.
- Issue 2366599 - Rules for VMs with IPv6 addresses not enforced.
If a VM uses an IPv6 address, but IPv6 snooping is not enabled for that VIF via the IP discovery profile, the IPv6 address is not populated in the rule for that VM in the data path. As a result, that rule is never enforced.
Workaround: Verify that IPv6 discovery profile is enabled at either the VIF or logical switch whenever IPv6 addresses are used.
- Issue 2374231 - Port scan with nmap tool generates flow with service as UNKNOWN and port as 0.
NSX Intelligence does not support source or destination port parsing for GRE, ESP, and SCTP protocol flows. NSX Intelligence provides full header parsing for TCP and UDP flows along with flow related statistics. For other supported protocols (such as GRE, ESP, and SCTP) NSX Intelligence can only provide IP information without protocol specific source or destination ports. For these protocols, the source or destination port will be zero.
- Issue 2410096 - After rebooting the NSX Intelligence appliance, flows collected in the last 10 minutes prior to reboot may not be displayed.
This is caused by an indexing issue.
- Issue 2531845 - Group visualization is incorrect immediately after upgrading the NSX Intelligence appliance.
After upgrading NSX Intelligence from version 1.0.x to version 1.1, the Groups view displays an Uncategorized group with a large and incorrect number of VM members.
Workaround: Wait at least 1 hour after you upgrade NSX Intelligence from version 1.0.x to version 1.1 before using the NSX Intelligence features.
- Issue 2539217 - LDAP users who are not part of any LDAP group are unable to access the NSX Intelligence UI
LDAP users who are not part of any LDAP group cannot access the NSX Intelligence user interface, even when they have roles assigned in NSX-T Data Center.
Workaround: Users can assign roles to LDAP groups or assign roles to users that are part of LDAP groups only.
- Issue 2529161 - Using the same SFTP folder for backing up an NSX-T cluster, an NSX Intelligence node, and a Global Manager cluster results in a mixed list of backups.
If an SFTP folder is shared between an NSX-T cluster, an NSX Intelligence node, and a Global Manager cluster, then a mixed list of all the backups that were generated using those clusters are listed in the NSX Intelligence Backup user interface. Only backups generated by NSX Intelligence should be listed.
Workaround: Use a unique SFTP folder when backing up each of the NSX-T cluster, NSX Intelligence appliance, or Global Manager cluster.
- Issue 2536593 - The Recommended Action information provided for a Certificate Expired alarm event is not accurate for NSX Intelligence.
If the Certificate Expired alarm event occurs, using the information provided in the Recommended Action does not resolve the alarm on the NSX Intelligence appliance.
- Issue 2543655 - SSL handshake failure might occur between a transport node and a Kafka Broker in NSX Intelligence.
If flow and context information are missing from a transport node, incorrect information might appear in the NSX Intelligence visualization shown on the NSX Manager user interface. In the /var/log/kafka/server.log file, you might see a continuous logging of the SSL handshake failed error message.
Workaround: Restart the Kafka Broker service using the following steps.
- Log in to the NSX Intelligence appliance using the CLI admin credentials.
- From the NSX Intelligence command line, use the following command.
restart service kafka