The NSX upgrade process can take some time, especially when upgrading ESXi hosts, because hosts must be rebooted. It is important to understand the operational state of NSX components during an upgrade, such as when some but not all hosts have been upgraded, or when NSX Edges have not yet been upgraded.

VMware recommends that you run the upgrade in a single outage window to minimize downtime and reduce confusion among NSX users who cannot access certain NSX management functions during the upgrade. However, if your site requirements prevent you from completing the upgrade in a single outage window, the information below can help your NSX users understand what features are available during the upgrade.

An NSX deployment upgrade proceeds as follows:

NSX Manager —> NSX Controller Cluster —> NSX Host Clusters —> NSX Edges

vCenter Upgrade

If you are using vCenter embedded SSO and you are upgrading vCenter 5.5 to vCenter 6.0, vCenter might lose connectivity with NSX. This happens if vCenter 5.5 was registered with NSX using the root user name. Starting in NSX 6.2, vCenter registration with root is deprecated. As a workaround, reregister vCenter with NSX using the administrator@vsphere.local user name instead of root.

If you are using external SSO, no change is necessary. You can retain the same user name, for example admin@mybusiness.mydomain, and vCenter connectivity will not be lost.

NSX Manager Upgrade


  • NSX Manager configuration is blocked. The NSX API service is unavailable. No changes to the NSX configuration can be made. Existing VM communication continues to function. New VM provisioning continues to work in vSphere, but the new VMs cannot be connected to NSX logical switches during the NSX Manager upgrade.


  • All NSX configuration changes are allowed. At this stage, if any new NSX Controllers are deployed, they will boot with the old version until the existing NSX Controller cluster is upgraded. Changes to the existing NSX configuration are allowed. New logical switches, logical routers, and edge service gateways can be deployed. For distributed firewall, if new features are introduced after the upgrade, those are unavailable for configuration (greyed out) in the user interface until all hosts are upgraded.

NSX Controller Cluster Upgrade


  • Logical network creation and modifications are blocked during the upgrade process. Do not make logical network configuration changes while the NSX Controller cluster upgrade is in progress. Do not provision new VMs during this process. Also, do not move VMs or allow DRS to move VMs during the upgrade.

    During the upgrade, when there is a temporary non-majority state, existing virtual machines do not lose networking.

    New logical network creation is automatically blocked during the upgrade.

    Do not allow dynamic routes to change during the upgrade.


  • Configuration changes are allowed. New logical networks can be created. Existing logical networks continue to function.

NSX Host Upgrade


  • Configuration changes are not blocked on NSX Manager. Upgrade is performed on a per-cluster basis. If DRS is enabled on the cluster, DRS manages the upgrade order of the hosts. Adds and changes to logical network are allowed. The host currently undergoing upgrade is in maintenance mode. Provisioning of new VMs continues to work on hosts that are not currently in maintenance mode.

When some NSX hosts in a cluster are upgraded and others are not:

  • NSX Manager configuration changes are not blocked. Controller-to-host communication is backward compatible, meaning that upgraded controllers can communicate with non-upgraded hosts. Additions and changes to logical networks are allowed. Provisioning new VMs continues to work on hosts that are not currently undergoing upgrade. Hosts currently undergoing upgrade are placed in maintenance mode, so VMs must be powered off or evacuated to other hosts. This can be done with DRS or manually.

NSX Edge Upgrade

NSX Edges can be upgraded without any dependency on the NSX Controller or host upgrades. You can upgrade an NSX Edge even if you have not yet upgraded the NSX Controller or hosts.


  • On the NSX Edge device currently being upgraded, configuration changes are blocked. Additions and changes to logical switches are allowed. Provisioning new VMs continues to work.

  • Packet forwarding is temporarily interrupted.

  • In NSX Edge 6.0 and later, OSPF adjacencies are withdrawn during upgrade if graceful restart is not enabled.


  • Configuration changes are not blocked. Any new features introduced in the NSX upgrade will not be configurable until all NSX Controllers and all host clusters have been upgraded to NSX version 6.2.x.

  • L2 VPN must be reconfigured after upgrade.

  • SSL VPN clients must be reinstalled after upgrade.

Guest Introspection Upgrade

During an NSX upgrade, the NSX UI prompts you to upgrade Guest Introspection service.


  • There is a loss of protection for VMs in the NSX cluster when there is a change to the VMs, such as VM additions, vMotions, or deletions.


  • VMs are protected during VM additions, vMotions, and deletions.