After you upgrade NSX-T Data Center, you can verify whether the versions of the upgraded components have been updated.

If you are upgrading from NSX-T Data Center 2.3 or earlier, your networking configuration is found under the Advanced Networking & Security and System tabs. You should continue to manage your environment using these tabs. See "Overview of the NSX Manager" in the NSX-T Data Center Administration Guide for more information.


Perform a successful upgrade. See Upgrading NSX-T Data Center.


  1. From your browser, log in with admin privileges to an NSX Manager at https://nsx-manager-ip-address.
  2. Select System > Upgrade.
  3. Verify that the overall upgrade version, component version, and initial and target product version are accurate.
    1. (Optional) Verify that the Dashboard, fabric hosts, NSX Edge cluster, transport nodes, and all logical entities status indicators are green, normal, deployed, and do not show any warnings.
    2. (Optional) Verify the status of several components.
      • Fabric nodes installation
      • Transport node Local Control Plane (LCP) and Management plane agent connectivity
      • Routers connectivity
      • NAT rules
      • DFW rules
      • DHCP lease
      • BGP details
      • Flows in the IPFIX collector
      • TOR connectivity to enable the network traffic
    The status of the upgrade appears as Successful.

    If you have a vCenter Server registered as a compute manager, after upgrading to NSX-T Data Center 2.5.x, the NSX extension, that is registered in vCenter Server does not display the latest version. This is only a cosmetic issue and has no functional impact.

  4. Modify the default admin password expiration.
    If the password expires, you will be unable to log in and manage components. Additionally, any task or API call that requires the administrative password to execute will fail. By default, passwords expire after 90 days. If your password expires, see Knowledge Base article 70691 NSX-T admin password expired.
    1. Reset the expiration period.
      You can set the expiration period for between 1 and 9999 days.
      nsxcli set user admin password-expiration <1 - 9999>
    2. (Optional) You can disable password expiry so the password never expires.
      nsxcli clear user audit password-expiration
  5. If you have an existing Ubuntu KVM host as a transport node, back up the /etc/network/interfaces file.
  6. If you have VIDM enabled, access your the local account at https://nsx-manager-ip-address/login.jsp?local=true.
  7. Verify CPU and Memory values for NSX Edge VMs.

    After upgrading, log in to the vSphere Client to verify if your existing NSX Edge VMs are configured with the following CPU and Memory values. If they are not, edit the VM settings to match these values.

    NSX-T Data Center 2.5 Appliance Memory vCPU
    NSX Edge Small VM 4 GB 2
    NSX Edge Medium VM 8 GB 4
    NSX Edge Large VM 32 GB 8
  8. If you did not use NSX Policy Manager 2.3 to create your DFW rules, move your rules to the upgraded NSX Manager.
    1. Navigate to the Security tab and recreate your rules.
      Your pre-upgrade configuration is available under Advanced Networking & Security > Security > Distributed Firewall.
    2. Navigate to Advanced Networking & Security > Security > Distributed Firewall and delete your pre-upgrade rules.
    3. Delete the infra_EC_to_FL_Connectivity_Strategy constraint to reset connectivity strategy.

      The connectivity strategy is set to NONE after the upgrade. To reset connectivity strategy, use an API call to delete the infra_EC_to_FL_Connectivity_Strategy constraint.

      DELETE https://<policy-mgr>/policy/api/v1/infra/constraints/<constraint-id>

      See the NSX-T Data Center API Guide.