VMware NSX Intelligence 1.2.1 | 17 APR 2021 | Build 17884599
Check regularly for additions and updates to these release notes.
VMware NSX® Intelligence™ is a distributed analytics platform that leverages granular workload and network context unique to NSX to deliver converged security policy management, analytics, and compliance with data center–wide visibility. NSX Intelligence provides a user interface via a single management pane within NSX Manager and provides the following features:
- Real-time flow visibility for compute workloads in your environment.
- Correlation of live or historic network traffic flows, user-defined firewall configurations, and compute workload inventory.
- Ability to view past information about network traffic flows, user-defined firewall configurations, and compute workload inventory.
- Automated micro-segmentation planning by recommending firewall rules, groups, and services.
What's in the Release Notes
The release notes cover the following topics:
- What's New
- System Requirements
- Compatibility Notes
- Available Languages
- API and CLI Resources
- Revision History
- Resolved Issues
- Known Issues
NSX Intelligence 1.2.1 is a maintenance release and there are no major or minor features, functional enhancements, or extensions introduced.
For information about new features released in the NSX Intelligence 1.2.0 release, see the VMware NSX Intelligence 1.2 Release Notes.
- For system requirements information, see the Installing and Upgrading VMware NSX Intelligence document.
- For information about ports and protocols required for NSX Intelligence, see VMware Ports and Protocols at https://ports.vmware.com/home/NSX-Intelligence.
- For NSX Intelligence and NSX-T Data Center interoperability information, see VMware Product Interoperability Matrices.
- NSX Intelligence does not support Kubernetes Pods, Namespace, or Cluster visualization.
- NSX Intelligence does not support NSX Federation deployments. For deployments with NSX Federation, if an NSX Intelligence instance is deployed with the Local Manager on a specific site, you will see groups and flows from the Global Manager. However, the visualization will not reflect specifics from other sites. NSX Intelligence recommendations will also not function across various sites because NSX Intelligence does not integrate with the Global Manager of NSX-T Data Center.
- When installing the NSX Intelligence 1.2.x appliance using NSX-T Data Center 2.5.x, you must use the instructions provided for the NSX Intelligence 1.0.x release, which was released with NSX-T Data Center 2.5.x. See Download and Unpack the NSX Intelligence Installer Bundle and Install the NSX Intelligence Appliance. You can use the same commands to unpack the NSX Intelligence 1.2.x installer OVA file that you download from the VMware Products Download portal.
API and CLI Resources
NSX Intelligence has been localized into multiple languages: English, German, French, Japanese, Simplified Chinese, Korean, Traditional Chinese, and Spanish. Because NSX Intelligence localization utilizes the browser language settings, ensure that your settings match the desired language.
Document Revision History
17 April 2021. First edition.
16 August 2021 Added known issue 2801225.
- Fixed Issue 2748505: New configuration or flow data are not being included in the NSX Intelligence visualization or recommendation analysis because the HDFS disk is full.
When the HDFS disk is full, the Druid service is unaware of it. The Druid tasks fail and the data does not get ingested nor included in the NSX Intelligence visualization and recommendation.
- Fixed Issue 2741839: The NSX Intelligence agent enters into an infinite restart loop state due to the presence of the issuer, subject, or Bag Attributes in the NSX cluster certificate.
When you use a PKCS #12 certificate that contains the issuer, subject, or Bag Attributes in the NSX cluster certificate, the NSX Intelligence agent ignores such information because the agent uses the Java 8 KeyStore to persist the certificate on disk. When the NSX Intelligence agent is restarted after persisting the certificate, it compares the certificate on disk with the NSX cluster certificate retrieved from the Trust Store and concludes that they are still different. The NSX Intelligence agent then enters into an infinite restart loop and eventually exhausts the resources of the proton JVM.
- Fixed Issue 2658502 - NSX Intelligence encounters an error if the NSX Manager cluster certificate or the NSX Intelligence appliance certificate contains a carriage return character (as part of newline).
- If the NSX Manager certificate contains a carriage return character, the deployment of the NSX Intelligence appliance might fail or the NSX Intelligence appliance might get stuck in a degraded state after it has been deployed.
- If the NSX Manager certificate or NSX Intelligence certificate that has a carriage return character is updated after the NSX Intelligence appliance has been deployed, and when multiple manager services are restarted simultaneously, some of the services might fail to initialize.
- Fixed Issue 2662537 - The NSX Intelligence appliance might reach a degraded state under a heavy load.
After installing an NSX Intelligence small form factor appliance and operating it for an extended period of time, you might see that the appliance's status as degraded from time to time. In particular, this can happen when the number of traffic flow records is high and if the Network Traffic Analysis (Tech Preview) feature is enabled.
- Fixed Issues 2665452 and 2694784 - NSX Intelligence visualization is slow to load in the UI or recommendation jobs fail under heavy load when Guest Introspection is in use.
When specifying a time range that is greater than one hour, the Groups view in the Plan & Troubleshoot > Discover & Take Action user interface is very slow to load in the visualization canvas or recommendation jobs fail. In addition, the /var/log/druid/sv/overlord-service.log file shows Druid compaction job failures for context tables. The issue is due to Druid segments growing faster than expected because compaction or rollup is not occurring properly.
- Fixed Issue 2673869: The processing pipeline for NSX Intelligence can get slow, which results in no traffic flow information to be displayed on the visualization canvas for the 1-hour time period.
In the NSX Intelligence visualization canvas, there is no traffic flow information displayed when the 1-hour time period is selected, even though network traffic flows are reported from the hosts. When you use the following command to check the Kafka consumer lag, the lag number is big and is increasing over time.
# /opt/kafka_2.12-2.6.0/bin/kafka-consumer-groups.sh --bootstrap-server 127.0.0.1:9092 --command-config /opt/kafka_2.12-2.6.0/config/kafka_adminclient.props --group raw_flow_group --describe
- Issue 2801225: The Recommendation job or Continuous Monitoring job might not be operating on the most recent version of a Group, Virtual Machine, Bare Metal, or Service entity in the Druid database.
The Continuous monitoring task might not set or reset the necessary rerun flag when a group membership has changed. The Recommendation job might not get the most recent version of the group or its members. This can result in an analysis that does not consider all of the members of the group.
- Issue 2748371: The Force Delete option is missing on the UI when NSX-T Data Center and NSX Intelligence shut down ungracefully.
During a disaster recovery scenario, when the primary NSX-T Data Center goes down abruptly and is restored in the secondary NSX-T Data Center using the NSX-T backup and restore functionality, the secondary NSX-T Data Center still has the context of the NSX Intelligence appliance. However, the NSX Intelligence appliance is unreachable. An attempt to install a new NSX Intelligence appliance failed because the Force Delete option is missing from the NSX Intelligence appliance card on the UI.
Workaround: To force the deletion of the current NSX Intelligence appliance, use the following API call.
where <node-id> is obtained using the following GET call.
GET /nsxapi/api/v1/intelligence/nodes/deployments HTTP/1.1
- Issue 2389691 - Publish recommendation job fails with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
If you try to publish a single recommendation job that contains more than 2,000 objects, it will fail with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
Workaround: Reduce the number of objects to fewer than 2,000 in the recommendation job and retry the publication.
- Issue 2374229 - NSX Intelligence appliance runs out of disk space.
The NSX Intelligence appliance has a default data retention period of 30 days. If the amount of flow data is larger than the anticipated amount within 30 days, the appliance might run out of disk space prematurely and become partially or completely non-operational.
Workaround: See VMware Knowledge Base article 76523 for more details and workaround.
- Issue 2366599 - Rules for VMs with IPv6 addresses not enforced.
If a VM uses an IPv6 address, but IPv6 snooping is not enabled for that VIF via the IP discovery profile, the IPv6 address is not populated in the rule for that VM in the data path. As a result, that rule is never enforced.
Workaround: Verify that IPv6 discovery profile is enabled at either the VIF or logical switch whenever IPv6 addresses are used.
- Issue 2531845 - Group visualization is incorrect immediately after upgrading the NSX Intelligence appliance.
After upgrading NSX Intelligence from version 1.0.x to version 1.2.0 or from version 1.1.x to verison 1.2.0, the Groups view displays an Uncategorized group with a large and incorrect number of VM members.
Workaround: Wait at least 1 hour after you upgrade NSX Intelligence from version 1.0.x to version 1.1 before using the NSX Intelligence features.
- Issue 2539217 - LDAP users who are not part of any LDAP group are unable to access the NSX Intelligence UI
LDAP users who are not part of any LDAP group cannot access the NSX Intelligence user interface, even when they have roles assigned in NSX-T Data Center.
Workaround: Users can assign roles to LDAP groups or assign roles to users that are part of LDAP groups only.
- Issue 2529161 - Using the same SFTP folder for backing up an NSX-T cluster, an NSX Intelligence node, and a Global Manager cluster results in a mixed list of backups.
If an SFTP folder is shared between an NSX-T cluster, an NSX Intelligence node, and a Global Manager cluster, then a mixed list of all the backups that were generated using those clusters are listed in the NSX Intelligence Backup user interface. Only backups generated by NSX Intelligence should be listed.
Workaround: Use a unique SFTP folder when backing up each of the NSX-T cluster, NSX Intelligence appliance, or Global Manager cluster.
- Issue 2628443: New configuration changes like Policy Groups, VMs, and traffic flows will not get reflected on NSX Intelligence user interface.
When you run the following CLI command using the virtual IP of an NSX Manager appliance, new configuration changes made for policy groups, VMs, and traffic flows are not reflected in the NSX Intelligence user interface.
set intelligence manager-node
Workaround: If in case you use the NSX Manager appliance's virtual IP in set intelligence manager-node CLI command, use the following steps to correct the situation.
- Connect to the NSX Intelligence appliance using the admin user account: ssh admin@intelligence-ip and run the following command:
update intelligence manager node host-ip-addr <nsx-mgr-ip-addr-arg> cert-thumbprint <nsx-mgr-thumbprint-arg>
- While still in the same ssh session as admin, run the following command:
set intelligence manager-node <nsx-mgr-ip-address> cert-id <uuid> cert-b64-encoded-pem <pem>
- Connect to the NSX Intelligence appliance using the the root user account: ssh root@intelligence-ip and run the following command:
- Connect to the NSX Intelligence appliance using the admin user account: ssh admin@intelligence-ip and run the following command:
- Issue 2599301: Some active sessions are not visible on the NSX Intelligence user interface for the Last 1 Hour view and are not picked up by the Recommendations module for recommending policies.
There are active traffic flows running on compute hosts, but these traffic flows are not visible in the Last 1 Hour view on the NSX Intelligence user interface. Starting a recommendation analysis for the involved compute hosts does not generate any recommendations for those traffic flows even though those traffic flows are unsegmented.
Workaround: Synchronize the timestamps between the NSX Intelligence appliance and all the compute hosts that are exporting data to NSX Intelligence.
- Issue 2629403: New policy configuration changes such as Group and DFW will not get reflected correctly on NSX Intelligence UI.
After upgrading from NSX Intelligence 1.0.x to NSX Intelligence 1.2, if the NSX Intelligence node and localhost-subscriber certificates have changed, then the configuration synchronization from NSX Manager to the NSX Intelligence appliance might not work.
Workaround: See VMware Knowledge Base article 81318 for more details and workaround.
- Issue 2621892: IPv6 traffic flows are not being reported for physical servers using OVS in Windows.
With the Stateful Firewall service enabled on NSX-T Data Center, physical servers that are using Open vSwitch (OVS) in Windows are unable to report IPv6 traffic flows to NSX-T Data Center. As a result, those IPv6 traffic flows are not reflected in the NSX Intelligence user interface.
- Issue 2631724: Some NSX Intelligence deployments might be assigned less CPUs even when the Large form factor is selected during installation.
On installations using earlier NSX Intelligence versions, even when the large form factor (LFF) appliance size is selected during installation, a small form factor (SFF) size gets assigned because of the reduced number of CPUs available in the host that is specified during configuration. This SFF assignment will result in a degraded performance at scale. In NSX Intelligence 1.2.0, if not enough CPUs are available to accommodate the requested LFF appliance size request, the issue is detected during the deployment process and the user interface displays the Registration failed error. In the NSX Intelligence appliance's /var/log/node-manager/node-manager-service.INFO.log file, the following exception is recorded:
Exception: Insufficient CPU resources to support requested form factor
Workaround: When deploying a large form factor NSX Intelligence appliance, use the Resource Pool option in the installation wizard, instead of the Host option.
- Issue 2609372 - NSX Intelligence fails to detect invalid IP address for the NSX Manager appliance.
If you added the NSX Manager certificate information to NSX Intelligence, but provided an incorrect IP address for the NSX Manager, the /var/log/pace-server.log file contains error messages that indicate a connection attempt to the NSX Manager appliance has timed out.
Workaround: See VMware Knowledge Base article 80158 for more details and workaround.
- Issue 2649781 and 2720408 - The 'spark' service remains in a degraded state after the NSX Intelligence appliance is rebooted or upgraded, and an extended period has passed.
In a resource-limited NSX Intelligence setup, the spark service might remain in an unhealthy state even after more than 30 minutes have passed. New traffic flows are not displayed in the visualization canvas because of the degraded state of the spark service.
- Log in to the NSX Intelligence CLI as admin user.
- Verify the state of the spark service using the following command:
- If the spark service is in a stopped or degraded state, use the following command to restart the spark service.
restart service spark
- Issue 2685222: The web browser with an unsupported non-English locale setting crashes after an attempt to access the Plan and Troubleshoot > Recommendations page is made.
If your web browser is set to use an unsupported non-English locale, for example nl-NL, and you try to access the Plan and Troubleshoot > Recommendations page, the web browser crashes. An error message is displayed, similar to the following.
InvalidPipeArgument: Missing locale data for the locale "nl-NL".' for pipe 't'
Workaround: Change your web browser's locale setting to English or any of the currently supported locales. The supported locales are German (de-DE), English (en-US), Spanish (es-ES), French (fr-FR), Japanese (ja-JP), Korean (ko-KR), Simplified Chinese (zh-CN), and Traditional Chinese (zh-TW). For example, go to the following URL for information on how to change the locale used by a Chrome web browser.
- Issue 2682610 - After upgrading to NSX-T Data Center 3.1.x from either NSX-T Data Center 2.5.x or 3.0.x, the context service is not started on the NSX Intelligence appliance.
After you upgrade from NSX-T Center 2.5.x or 3.0.x to NSX-T Data Center 3.1.x, the context data does not get generated. The context feature is available, but is not enabled after the NSX Intelligence appliance upgrade process because the context feature is tied to the NSX-T Data Center version, which in this case has to be 3.1.x.
Workaround: See VMware Knowledge Base article 81201 for more details and workaround information.