You can only upgrade the NSX Controller cluster.

The NSX Controller nodes are upgraded in parallel order.


Due to changes in the communication from the transport node to NSX Controller, you must open the TCP ports 1235 and 1234 before you upgrade from NSX-T Data Center 2.1 to higher. After the upgrade is successful, the TCP port 1235 is in use.

For troubleshooting and verification of communication, use the TCP port 1235.



  1. Click Start to upgrade the NSX Controller cluster.
  2. Monitor the upgrade process.

    You can view the overall upgrade status and progress details of each Controller node in real time.

    During the upgrade, the NSX Controller cluster connectivity to the hosts is temporarily interrupted. When the upgrade finishes, the status of each Controller node appears as successful or failed.

  3. (Optional) In the NSX Manager appliance, select System > Overview and verify that the product version is updated on each NSX Controller node.

What to do next

If the process was successful, you can proceed with the upgrade. See Upgrade Management Plane.

If the upgrade fails and the following upgrade error message is in the syslog of the NSX Controller,

<179>1 2018-06-04T06:03:09.819560+00:00 ctrl2 NSX - -
[nsx@6876 comp="nsx-controller" subcomp="upgrade-bundle"]
upgrade_bundle_helper: Failed to verify bundle:
/image/VMware-NSX-controller- has bad permissions:

This is because the NSX Controller was rebooted during the upgrade process. Identify the failed NSX Controller node and log in to the CLI of that node. Run the command, verify upgrade-bundle <bundle-name>. Start the NSX Controller upgrade.