What's in the Release Notes

Important Information about NSX-T Data Center 3.2.0

What's New

• Layer 2 Networking
• Layer 3 Networking
• Multicast
• Edge Platform
• Distributed Firewall
• Distributed Intrusion Detection/Prevention System (D-IDPS)
• Gateway Firewall
• New NSX Application Platform
• Network Detection and Response
• VPN
• Guest Introspection
• Federation
• Container Networking and Security
• Load Balancing
• NSX Cloud
• Operations and Monitoring
• Monitoring
• Usability and User Interface
• Policy
• AAA and Platform Security
• Scale
• Licensing
• NSX Data Center for vSphere to NSX-T Data Center Migration

Tech Preview Features

Inclusive Terminology

Compatibility and System Requirements

Feature / API Deprecations and Behavior Changes

• Deprecation announcement for NSX Manager APIs and NSX Advanced UIs
• N-VDS NSX-T Host Switch Deprecation Announcement
• OpenStack and KVM
• Deprecation Announcement for NSX-T Load Balancing APIs
• Alarms
• Live Traffic Analysis API Deprecation and Changes
• API Deprecations and Behavior Changes

Upgrade Notes for This Release

API and CLI Resources

Available Languages

Document Revision History

Resolved Issues

• Fixed Issue 2643610: Load balancer statistics APIs are not returning stats.

  Stats of API are not set. You can't see load balancer stats.

  Workaround: Reduce the number of load balancers configured.

• Fixed Issue 2468774: Backups Occurs Unexpectedly with the Detect NSX configuration change option enabled.

  When Detect NSX configuration change is enabled, backups would occur even though there were no changes to the NSX configuration.

• Fixed Issue 2692344: If you delete the Avi Enforcement point, it deletes all the realized objects from the policy, which deletes all default object’s realized entities from the policy. Adding new enforcement point fails to re-sync the default object from the Avi Controller.

  You will not be able to use the system-default objects after deletion and recreation of the Enforcement point of AVIConnectionInfo.

• Fixed Issue 2858893: Service Deployment cleanup fails for Clustered-based deployment.

  No functional impact. Failure to clean up Service if trying to unregister ServiceDefinion with dangling ServiceDeployment or Instances. Have to manually/forcefully clean up from db.

• Fixed Issue 2557287: TNP updates done after backup are not restored.

  You won't see any TNP updates done after backup on a restored appliance.

• Fixed Issue 2679614: When the API certificate is replaced on the Local Manager, the Global Manager's UI will display the message, "General Error has occurred."

  When the API certificate is replaced on the Local Manager, the Global Manager's UI will display the message, "General Error has occurred."

• Fixed Issue 2658687: Global Manager switchover API reports failure when transaction fails, but the failover happens.

  API fails, but Global Manager switchover completes.

• Fixed Issue 2652418: Slow deletion when large number of entities are deleted.

  Deletion will be slower.

• Fixed Issue 2649499: Firewall rule creation takes a long time when individual rules are created one after the other.

  Slow API takes more time to create rules.

• Fixed Issue 2649240: Deletion is slow when a large number of entities are deleted using individual delete APIs.

  It takes significant time to complete the deletion process.

• Fixed Issue 2606452: Onboarding is blocked when trying to onboard via API.

  Onboarding API fails with the error message, "Default transport zone not found at site".

• Fixed Issue 2587513: Policy shows error when multiple VLAN ranges are configured in bridge profile binding.

  You will see an "INVALID VLAN IDs" error message.

• Fixed Issue 2662225: When active edge node becomes non-active edge node during flowing S-N traffic stream, traffic loss is experienced.

  Current S->N stream is running on multicast active node. The preferred route on TOR to source should be through the multicast active edge node only. Bringing up another edge can take over multicast active node (lower rank edge is active multicast node). Current S->N traffic will experience loss up to four minutes. This is will not impact new stream or if current stream is stopped and started again.

• Fixed Issue 2625009: Inter-SR iBGP sessions keep flapping, when intermediate routers or physical NICs have lower or equal MTU as the inter-SR port.

  This can impact inter-site connectivity in Federation topologies and inter-SR connectivity in non-federation topologies.

• Fixed Issue 2521230: BFD status displayed under ‘get bgp neighbor summary’ may not reflect the latest BFD session status correctly.

  BGP and BFD can set up their sessions independently. As part of ‘get bgp neighbor summary’ BGP also displays the BFD state. If the BGP is down, it will not process any BFD notifications and will continue to show the last known state. This could lead to displaying stale state for the BFD.

• Fixed Issue 2550492: During an upgrade, the message, "The credentials were incorrect or the account specified has been locked" is displayed temporarily and the system recovers automatically.

  Transient error message during upgrade.

• Fixed Issue 2682480: Possible false alarm for NCP health status.

  The NCP health status alarm may be unreliable in the sense that it is raised when NCP system is healthy.

• Fixed Issue 2655539: Host names are not updated on the Location Manager page of the Global Manager UI when updating the host names using the CLI.

  The old host name is shown.

• Fixed Issue 2631703: When doing backup/restore of an appliance with vIDM integration, vIDM configuration will break.

  Typically when an environment has been both upgraded and/or restored, attempting to restore an appliance where vIDM integration is up and running will cause that integration to break and you will to have to reconfigure.

• Fixed Issue 2730109: When Edge is powering ON, Edge tries to make OSPF neighborship with the peer using its routerlink IP address as a OSPF RouterID though loop back is present.

  After reloading Edge, OSPF selects the downlink IP-address (the higher IP-address) as router-id until it receives the OSPF router-id configuration due to the configuration sequencing order. The neighbour entry with older router-id will eventually become stale entry upon receiving OSPF HELLO with new router-id and get expired after dead timer expiry on the peer.

• Fixed Issue 2610851: Namespaces, Compute Collection, L2VPN Service grid filtering might return no data for few combinations of resource type filters.

  Applying multiple filters for a few types at the same time returned no results even though data is available with matching criteria. It is not a common scenario and filter will fail only these grids for the following combinations of filter attribute: For Namespaces grid ==> On Cluster Name and Pods Name filter For Network Topology page ==> On L2VPN service applying a remote ip filter For Compute Collection ==> On ComputeManager filter

• Fixed Issue 2482580: IDFW/IDS configuration is not updated when an IDFW/IDS cluster is deleted from vCenter.

  When a cluster with IDFW/IDS enabled is deleted from vCenter, the NSX management plane is not notified of the necessary updates. This results in accurate count of IDFW/IDS enabled clusters. There is no functional impact. Only the count of the enabled clusters is wrong.

• Fixed Issue 2587257: In some cases, PMTU packet sent by NSX-T edge is ignored upon receipt at the destination.

  PMTU discovery fails resulting in fragmentation and reassembly, and packet drop. This results in performance drop or outage in traffic.

• Fixed Issue 2622576: Failures due to duplicate configuration are not propagated correctly to user.

  While onboarding is in progress, you see an "Onboarding Failure" message.

• Fixed Issue 2638673: SRIOV vNICs for VMs are not discovered by inventory.

  SRIOV vNICs are not listed in Add new SPAN session dialog. You will not see SRIOV vNICs when adding new SPAN session.

• Fixed Issue 2643749: Unable to nest group from custom region created on specific site into group that belongs to system created site specific region.

  You will not see the group created in site specific custom region while selecting child group as a member for the group in the system created region with the same location.

• Fixed Issue 2805986: Unable to deploy NSX-T managed edge VM.

  NSX-T Edge deployment fails when done using ESX UI.

• Fixed Issue 2685550: FW Rule realization status is always shown as "In Progress" when applied to bridged segments.

  When applying FW Rules to an NSGroup that contains bridged segments as one of its members, realization status will always be shown as in progress. You won't be able to check the realization status of FW Rules applied to bridged segments.

Known Issues

• Issue 3116294: Rule with nested group does not work as expected on hosts.

  Traffic not allowed or skipped correctly.

  Workaround: See knowledge base article 91421.

• Issue 3025104: Host showing "Failed " state when restore performed on different IP and same FQDN.

  When restore is performed using different IP of MP nodes using the same FQDN, hosts are not able to connect to the MP nodes.

  Workaround: Refresh DNS cache for the host. Use command /etc/init.d/nscd restart.

• Issue 3012313: Upgrading NSX Malware Prevention or NSX Network Detection and Response from version 3.2.0 to NSX ATP 3.2.1 or 3.2.1.1 fails.

  After the NSX Application Platform is upgraded successfully from NSX 3.2.0 to NSX ATP 3.2.1 or 3.2.1.1, upgrading either the NSX Malware Prevention (MP) or NSX Network Detection and Response (NDR) feature fails with one or more of the following symptoms.

  1. The Upgrade UI window displays a FAILED status for NSX NDR and the cloud-connector pods.

  2. For an NSX NDR upgrade, a few pods with the prefix of nsx-ndr are in the ImagePullBackOff state.   

  3. For an NSX MP upgrade, a few pods with the prefix of cloud-connector are in the ImagePullBackOff state.   

  4. The upgrade fails after you click UPGRADE, but the previous NSX MP and NSX NDR functionalities still function the same as before the upgrade was started. However, the NSX Application Platform might become unstable.

  Workaround: See VMware knowledge base article 89418.

• Issue 2989696: Scheduled backups fail to start after NSX Manager restore operation.

  Scheduled backup does not generate backups. Manual backups continue to work.

  Workaround: See Knowledge base article 89059.

• Issue 3015843: The DFW packet log identifier was changed in NSX-T 3.2.0 and was not mentioned in the release notes.

  Unable to see DFW packet logs with log identifier used from prior releases.

  The following NSX-T syslog fields were changed to align with RFC compliance:

  • FIREWALL_PKTLOG changed to FIREWALL-PKTLOG

  • DLB_PKTLOG changed to DLB-PKTLOG

  • IDPS_EVT changed to IDPS-EVT

  • nsx_logger changed to nsx-logger

  Since these changes were made to align with RFC compliance, there is no foreseeable scenario of future NSX releases reverting back to the log structure from prior releases.

• Issue 2355113: Workload VMs running RedHat and CentOS on Azure accelerated networking instances is not supported.

  In Azure when accelerated networking is enabled on RedHat or CentOS based OS's and with NSX Agent installed the ethernet interface does not obtain an IP address.

  Workaround: Disable accelerated networking for RedHat and CentOS based OS.

• Issue 2283559: /routing-table and /forwarding-table MP APIs return an error if the edge has 65k+ routes for RIB and 100k+ routes for FIB.

  If the edge has 65k+ routes for RIB and 100k+ routes for FIB, the request from MP to Edge takes more than 10 seconds and results in a timeout. This is a read-only API and has an impact only if they need to download the 65k+ routes for RIB and 100k+ routes for FIB using API/UI.

  Workaround: There are two options to fetch the RIB/FIB. These APIs support filtering options based on network prefixes or type of route. Use these options to download the routes of interest. CLI support in case the entire RIB/FIB table is needed and there is no timeout for the same.

• Issue 2693576: Transport Node shows "NSX Install Failed" after KVM RHEL 7.9 upgrade to RHEL 8.2​.

  After RHEL 7.9 upgrade to 8.2, dependencies nsx-opsagent and nsx-cli are missing, Host is marked as install failed. Resolving the failure from the UI doesn't work: Failed to install software on host. Unresolved dependencies: [PyYAML, python-mako, python-netaddr, python3]

  Workaround: Manually install NSX RHEL 8.2 vibs after host OS upgrade and then resolve it from the UI.

• Issue 2628503: DFW rule remains applied even after forcefully deleting the manager nsgroup.

  Workaround: Do not forcefully delete an nsgroup that is still used by a DFW rule. Instead, make the nsgroup empty or delete the DFW rule.

• Issue 2684574: If the edge has 6K+ routes for Database and Routes, the Policy API times out.

  These Policy APIs for the OSPF database and OSPF routes return an error if the edge has 6K+ routes: /tier-0s/<tier-0s-id>/locale-services/<locale-service-id>/ospf/routes /tier-0s/<tier-0s-id>/locale-services/<locale-service-id>/ospf/routes?format=csv /tier-0s/<tier-0s-id>/locale-services/<locale-service-id>/ospf/database /tier-0s/<tier-0s-id>/locale-services/<locale-service-id>/ospf/database?format=csv If the edge has 6K+ routes for Database and Routes, the Policy API times out. This is a read-only API and has an impact only if the API/UI is used to download 6k+ routes for OSPF routes and database.

  Workaround: Use the CLI commands to retrieve the information from the edge.

• Issue 2663483: The single-node NSX Manager will disconnect from the rest of the NSX Federation environment if you replace the APH-AR certificate on that NSX Manager.

  This issue is seen only with NSX Federation and with the single node NSX Manager Cluster. The single-node NSX Manager will disconnect from the rest of the NSX Federation environment if you replace the APH-AR certificate on that NSX Manager.

  Workaround: Single-node NSX Manager cluster deployment is not a supported deployment option, so have three-node NSX Manager cluster.

• Issue 2636771: Search can return resource when a resource tagged with multiple tag pairs, and tag and scope match with any value of tag and scope.

  This affects search query with condition on tag and scope. Filter may return extra data if tag and scope match with any pair.

  Workaround: None.

• Issue 2668717: Intermittent traffic loss might be observed for E-W routing between the vRA created networks connected to segments sharing Tier-1.

  In cases where vRA creates multiple segments and connects to a shared ESG, V2T will convert such a topology to a shared Tier-1 connected to all segments on the NSX-T side. During the host migration window, intermittent traffic loss might be observed for E-W traffic between workloads connected to the segments sharing the Tier-1.

  Workaround: None.

• Issue 2490064: Attempting to disable VMware Identity Manager with "External LB" toggled on does not work.

  After enabling VMware Identity Manager integration on NSX with "External LB", if you attempt to then disable integration by switching "External LB" off, after about a minute, the initial configuration will reappear and overwrite local changes.

  Workaround: When attempting to disable vIDM, do not toggle the External LB flag off; only toggle off vIDM Integration. This will cause that config to be saved to the database and synced to the other nodes.

• Issue 2526769: Restore fails on multi-node cluster.

  When starting a restore on a multi-node cluster, restore fails and you will have to redeploy the appliance.

  Workaround: Deploy a new setup (one node cluster) and start the restore.

• Issue 2534933: Certificates that have LDAP based CDPs (CRL Distribution Point) fail to apply as tomcat/cluster certs.

  You can't use CA-signed certificates that have LDAP CDPs as cluster/tomcat certificate.

  Workaround: There are two options.

  1. Use a certificate that has HTTP-based CDP.

  2. Disable CRL checking using PUT https://<manager>/api/v1/global-configs/SecurityGlobalConfig API (In the payload for PUT, make sure to have "crl_checking_enabled" as false.)

• Issue 2566121: Wrong error message, "Some appliance components are not functioning properly" is displayed when server is overloaded.

  When there are too many API calls made to NSX, UI/API shows error, "Some appliance components are not functioning properly" instead of "server is overloaded."

  Workaround: None.

• Issue 2613113: If onboarding is in progress, and restore of Local Manager is done, the status on Global Manager does not change from IN_PROGRESS.

  UI shows IN_PROGRESS in Global Manager for Local Manager onboarding. Configuration of the restored site cannot be imported.

  Workaround: Restart the Global Manager cluster, one node at a time.

• Issue 2690457: When joining an MP to an MP cluster where publish_fqdns is set on the MP cluster and where the external DNS server is not configured properly, the proton service may not restart properly on the joining node.

  The joining manager will not work and the UI will not be available.

  Workaround: Configure the external DNS server with forward and reverse DNS entries for all Manager nodes.

• Issue 2574281: Policy will only allow a maximum of 500 VPN Sessions.

  NSX claims support of 512 VPN Sessions per edge in the large form factor, however, due to Policy doing auto plumbing of security policies, Policy will only allow a maximum of 500 VPN Sessions. Upon configuring the 501st VPN session on Tier0, the following error message is shown: {'httpStatus': 'BAD_REQUEST', 'error_code': 500230, 'module_name': 'Policy', 'error_message': 'GatewayPolicy path=[/infra/domains/default/gateway-policies/VPN_SYSTEM_GATEWAY_POLICY] has more than 1,000 allowed rules per Gateway path=[/infra/tier-0s/inc_1_tier_0_1].'}

  Workaround: Use Management Plane APIs to create additional VPN Sessions.

• Issue 2658092: Onboarding fails when NSX Intelligence is configured on Local Manager.

  Onboarding fails with a principal identity error. and you cannot onboard a system with principal identity user.

  Workaround: Create a temporary principal identity user with the same principal identity name that is used by NSX Intelligence.

• Issue 2639424: Remediating a Host in a vLCM cluster with Host-based Deployment will fail after 95% Remediation Progress is completed.

  The remediation progress for a Host will be stuck at 95% and then Fail after 70 minute timeout is completed.

  Workaround: See VMware knowledge base article 81447.

• Issue 2636420: Host will go to "NSX install skipped" state and cluster in "Failed" state post restore if "Remove NSX" is run on cluster post backup.

  "NSX Install Skipped" will be shown for host.

  Workaround: Following restore, you should have to run "Remove NSX" on the cluster again to achieve the state that was present following backup (not configured state).

• Issue 2558576: Global Manager and Local Manager versions of a global profile definition can differ and might have an unknown behavior on Local Manager.

  Global DNS, session, or flood profiles created on Global Manager cannot be applied to a local group from UI, but can be applied from API. Hence, an API user can accidentally create profile binding maps and modify global entity on Local Manager.

  Workaround: Use the UI to configure system.

• Issue 2491800: AR channel SSL certificates are not periodically checked for their validity, which could lead to using an expired/revoked certificate for an existing connection.

  The connection would be using an expired/revoked SSL.

  Workaround: Restart the APH on the Manager node to trigger a reconnection.

• Issue 2561988: All IKE/IPSEC sessions are temporarily disrupted.

  Traffic outage will be seen for some time.

  Workaround: Modify the local endpoints in phases instead of all at the same time.

• Issue 2584648: Switching primary for T0/T1 gateway affects northbound connectivity.

  Location failover time causes disruption for a few seconds and may affect location failover or failback test.

  Workaround: None.

• Issue 2636420: The transport node profile is applied on a cluster on which "remove nsx" is called after backup.

  Hosts are not in prepared state but the transport node profile is still applied at the cluster.

  Workaround: After a restore, run "Remove NSX" on the cluster again to achieve the state that was present after backup (not configured state).

• Issue 2687084: After upgrade or restart, the Search API may return 400 error with Error code 60508, "Re-creating indexes, this may take some time."

  Depending on the scale of the system, the Search API and the UI are unusable until the re-indexing is complete.

  Workaround: None.

• Issue 2782010: Policy API allows change vdr_mac/vdr_mac_nested even when "allow_changing_vdr_mac_in_use" is false.

  VDR MAC will be updated on TN even if allow_changing is set to false. Error is not thrown.

  Workaround: Change the VDR MAC back to the old value if you did not intend for the field to change.

• Issue 2791490: Federation: Unable to sync the objects to standby Global Manager (GM) after changing standby GM password.

  Cannot observe Active GM on the standby GM's location manager, either any updates from the Active GM.

  Workaround: Request a force sync on the standby GM's UI.

• Issue 2799371: IPSec alarms for L2 VPN are not cleared even though L2 VPN and IPSec sessions are up.

  No functional impact except that unnecessary open alarms are seen.

  Workaround: Resolve alarms manually.

• Issue 2838613: For ESX version less than 7.0.3, NSX security functionality not enabled on VDS upgraded from version 6.5 to a higher version after security installation on the cluster.

  NSX security features are not enabled on the the VMs connected to VDS upgraded from 6.5 to a higher version (6.6+) where NSX Security on vSphere DVPortgroups feature is supported.

  Workaround: After VDS is upgraded, reboot the host and power on the VMs to enable security on the VMs.

• Issue 2839782: unable to upgrade from NSX-T 2.4.1 to 2.5.1 because CRL entity is large, and Corfu imposes a size limit in 2.4.1, thereby preventing the CRL entity from being created in the Corfu during upgrade.

  Unable to upgrade.

  Workaround: Replace certificate with a certificate signed by a different CA.

• Issue 2851991: IDFW fails if Policy Group with AD Group also has nested empty source group.

  IDFW fails if the Policy Group with AD Group has nested empty source group.

  Workaround: Remove the empty child group.

• Issue 2852419: Error message seen when Static route configured with non link-local IPv4/v6 next-hop having with multiple scope values.

  Static route API with non link-local next hop IP having multiple scope values configuration will be rejected.

  Workaround: Create multiple next hops instead of multiple scope values and make sure that each next hop has a different IP address.

• Issue 2853889: When creating EVPN Tenant Config (with vlan-vni mapping), Child Segments are created, but the child segment's realization status gets into failed state for about 5 minutes and recovers automatically.

  It will take 5 minutes to realize the EVPN tenant configuration.

  Workaround: None. Wait 5 minutes.

• Issue 2854139: Continuous addition/removal of BGP routes into RIB for a topology where Tier0 SR on edge has multiple BGP neighbors and these BGP neighbors are sending ECMP prefixes to the Tier0 SR.

  Traffic drop for the prefixes that are getting continuously added/deleted.

  Workaround: Add an inbound routemap that filters the BGP prefix which is in the same subnet as the static route nexthop.

• Issue 2864250: A failure is seen in transport node realization if Custom NIOC Profile is used when creating a transport node.

  Transport node is not ready to use.

  Workaround: Create the transport node with Default NIOC profile and then update it applying the custom NIOC profile.

• Issue 2866682: In Microsoft Azure, when accelerated networking is enabled on SUSE Linux Enterprise Server (SLES) 12 SP4 Workload VMs and with NSX Agent installed, the ethernet interface does not obtain an IP address.

  VM agent doesn't start and VM becomes unmanaged.

  Workaround: Disable Accelerated networking.

• Issue 2867243: Effective membership APIs for a Policy Group or NSGroup with no effective members does not return 'results' and 'result_count' fields in API response.

  There is no functional impact.

  Workaround: None.

• Issue 2868235: On Quick Start - Networking and Security dialog, visualization shows duplicate VDS when there are multiple PNICs attached to the same VDS.

  Visualization shows duplicate VDS. It may be difficult to find or scroll to the customize host switch section in case the focus is on the visualization graph.

  Workaround: For the scrolling issue, press the Tab key or move the mouse pointer outside of the visualization area and scroll to the customize switch configuration section.

• Issue 2870085: Security policy level logging to enable/disable logging for all rules is not working.

  You will not be able to change the logging of all rules by changing "logging_enabled" of security policy.

  Workaround: Modify each rule to enable/disable logging.

• Issue 2870529: Runtime information for Identify Firewall (IDFW) not available if not exact case of netbios name is used when AD domain is added.

  You cannot easily and readily obtain IDFW current runtime information/status. Current active logins cannot be determined.

  Workaround: Edit the domain in question and fix the netbios name. Once changes are applied, all future IDFW events will be reported correctly.

• Issue 2870645: In response of /policy/api/v1/infra/realized-state/realized-entities API, 'publish_status_error_details' shows error details even if 'publish_status' is a "SUCCESS" which means that the realization is successful.

  There is no functional impact.

  Workaround: None.

• Issue 2871585: Removal of host from DVS and DVS deletion is allowed for DVS versions less than 7.0.3 after NSX Security on vSphere DVPortgroups feature is enabled on the clusters using the DVS.

  You may have to resolve any issues in transport node or cluster configuration that arise from a host being removed from DVS or DVS deletion.

  Workaround: None.

• Issue 2874236: After upgrade, if you re-deploy only one Public Cloud Gateway (PCG) in a HA pair, the older HA AMI/VHD build is re-used.

  This happens only post upgrade in the first redeployment of PCGs.

  Workaround: Provide the right AMI or VHD post upgrade via API.

• Issue 2875385: When a new node joins the cluster, if local users (admin, audit, guestuser1, guestuser2) were renamed to some other name, these local user(s) may not be able to log in.

  Local user is not able to log in.

  Workaround: There are two workarounds.

  • Workaround 1: Rename the user back to anything and then back to the desired name.

  • Workaround 2: If you are unable to rename the users, restart the NSX Manager.

• Issue 2848614: When joining an MP to an MP cluster where publish_fqdns is set on the MP cluster and where the forward or reverse lookup entry missing in external DNS server or dns entry missing for joining node, forward or reverse alarms are not generated for the joining node.

  Forward/Reverse alarms are not generated for the joining node even though forward/reverse lookup entry is missing in DNS server or dns entry is missing for the joining node.

  Workaround: Configure the external DNS server for all Manager nodes with forward and reverse DNS entries.

• Issue 2719682: Computed fields from Avi controller are not synced to intent on Policy resulting in discrepancies in Data shown on Avi UI and NSX-T UI.

  Computed fields from Avi controller are shown as blank on the NSX-T UI.

  Workaround: App switcher to be used to check the data from Avi UI.

• Issue 2747735: Post restore, VIP connectivity is broken due to network compatibility issues.

  While restoring backup, customers can update VIP before the “AddNodeToCluster" step.

  [Enter the workaround, if any, else state “None”] Restore typically pauses at the step “AddNodeToCluster” where the user is asked to add additional manager nodes. at that step a. first remove/update VIP to use a new IP from the ‘systems/appliances UI’ page. and b. add additional nodes to a restored 1-node cluster once VIP is corrected.

• Issue 2816781: Physical servers cannot be configured with a load-balancing based teaming policy as they support a single VTEP.

  You won't be able to configure physical servers with a load-balancing based teaming policy.

  Workaround: Change the teaming policy to a failover based teaming policy or any policy having a single VTEP.

• Issue 2856109: Adding 2000th pool member will error out for limit if Avi controller version is 21.1.2.

  Avi Controller 21.1.2 allows 1999 pool members instead of 2k pool members.

  Workaround: Use Avi controller version to 20.1.7 or 21.1.3.

• Issue 2862418: The first packet could be lost in Live Traffic Analysis (LTA) when configuring LTA to trace the exact number of packets.

  You cannot see the first packet trace.

  Workaround: None.

• Issue 2864929: Pool member count is higher when migrated from NSX for vSphere to Avi Load Balancer on NSX-T Data Center.

  You will see a higher pool member count. Health monitor will mark those pool members down but traffic won't be sent to unreachable pool members.

  Workaround: None.

• Issue 2865273: Advanced Load Balancer (Avi) search engine won't connect to Avi Controller if there is a DFW rule to block ports 22, 443, 8443 and 123 prior to migration from NSX for vSphere to NSX-T Data Center.

  Avi search engine is not able to connect to the Avi Controller.

  Workaround: Add explicit DFW rules to allow ports 22, 443, 8443 and 123 for SE VMs or exclude SE VMs from DFW rules.

• Issue 2866885: Event log scrapper (ELS) requires the NetBIOS name configured in AD domain to match that in AD server.

  User login will not be detected by ELS.

  Workaround: Change the NetBIOS name to match that in AD server.

• Issue 2868944: UI feedback is not shown when migrating more than 1,000 DFW rules from NSX for vSphere to NSX-T Data Center, but sections are subdivided into sections of 1,000 rules or fewer.

  UI feedback is not shown.

  Workaround: Check the logs.

• Issue 2878030: Upgrade orchestrator node for Local Manager site change is not showing notification.

  If the orchestrator node is changed after the UC is upgraded and you continue with the UI workflow by clicking any action button (pre-check, start, etc.), you will not see any progress on the upgrade UI. This is only applicable if the Local Manager Upgrade UI is accessed in the Global Manager UI using site switcher.

  Workaround: Go to the Local Manager for that site and continue the upgrade to see the expected notification.

• Issue 2878325: In the Inventory Capacity Dashboard view for Manager, “Groups Based on IP Sets” attribute count doesn’t include Groups containing IP Addresses that are created from Policy UI.

  In the Inventory Capacity Dashboard view for Manager, the count for “Groups Based on IP Sets” is not correctly represented if there are Policy Groups containing IP Addresses.

  Workaround: None.

• Issue 2879133: Malware Prevention feature can take up to 15 minutes to start working.

  When the Malware Prevention feature is configured for the first time, it can take up to 15 minutes for the feature to be initialized. During this initialization, no malware analysis will be done, but there is no indication that the initialization is occurring.

  Workaround: Wait 15 minutes.

• Issue 2879734: Configuration fails when same self-signed certificate is used in two different IPsec local endpoints.

  Failed IPsec session will not be established until the error is resolved.

  Workaround: Use unique self-signed certificate for each local endpoint.

• Issue 2879979: IKE service may not initiate new IPsec route based session after "dead peer detection" has happened due to IPsec peer being unreachable.

  There could be outage for specific IPsec route based session.

  Workaround: Enable/disable on IPsec session can resolve the problem.

• Issue 2881281: Concurrently configuring multiple virtual servers might fail for some.

  Client connections to virtual servers may time out.

  Workaround: Run the following API to re-trigger logical router workflow.

  https://{ip}/api/v1/logical-routers/<id>? action=reprocess

• Issue 2881471: Service Deployment status not getting updated when deployment status switches from failure to success.

  You may see that Service Deployment status remains in Down state forever along with the alarm that was raised.

  Workaround: Use the service deployment status API to check the status.

  API: https://{{nsx-mgr-ip}}/api/v1/serviceinsertion/services/{{service-id}}/service-deployments/{{service-deployment-id}}/status

• Issue 2882070: NSGroup members and criteria is not displayed for global groups in Manager API listing.

  No functional impact.

  Workaround: View the global group definitions via Policy API on Local Manager.

• Issue 2882769: Tags on NSService and NSServiceGroup objects are not carried over after upgrading to NSX-T 3.2.

  There is no functional impact on NSX as Tags on NSService and NSServiceGroup are not being consumed by any workflow. There may be an impact on external scripts that have workflows that rely on Tags on these objects.

  Workaround: After upgrading to NSX-T 3.2, missing tags can be added to NSService and NSServiceGroup by updating the entities.

• Issue 2884939: NSX rate limiting 100 req per second is hit when migrating a large number of Virtual Services from NSX for vSphere to NSX-T ALB and all APIs are blocked for some time.

  NSX-T Policy API results in error: Client 'admin' exceeded request rate of 100 per second (Error code: 102) for some time after migrate config is hit in migration.

  Workaround: Update Client API rate limit to 200 requests per second.

• Issue 2792485: NSX manager IP is shown instead of FQDN for manager installed in vCenter.

  NSX-T UI Integrated in vCenter shows NSX manager IP instead of FQDN for installed manager.

  Workaround: None.

• Issue 2884518: Incorrect count of VMs connected to segment on Network topology UI after upgrading an NSX appliance to NSX-T 3.2.

  You will see incorrect count of VM connected to Segment on Network Topology. However, actual count of VMs associated with the Segment will be shown when you expand the VM's node.

  Workaround:

  1. Log in to NSX appliance in engineering mode.

  2. Run the command: curl -XDELETE http://localhost:9200/topology_manager

• Issue 2874995: LCores priority may remain high even when not used, rendering them unusable by some VMs.

  Performance degradation for "Normal Latency" VMs.

  Workaround: There are two options.

  • Reboot the system.

  • Remove the high priority LCores and then recreate them. They will then default back to normal priority LCores.

• Issue 2772500: Enabling Nested overlay on ENS can result in PSOD.

  Can result in PSOD.

  Workaround: Disable ENS.

• Issue 2832622: IPv6 ND Profile not taking affect after being edited or changed.

  The network will still refer to the old NDRA profile.

  Workaround: Restart ccp to update IPv6 ND profile.

• Issue 2840599: MP Normalization API gives INVALID_ARGUMENT error.

  Poor UI experience.

  Workaround: None.

• Issue 2844756: Segment deletion fails with an error.

  You won't be able to delete the segment.

  Workaround: Force delete the ports attached to the segment.

  1. Fetch all the logical ports connected to that segment using the following API. For example, for PolicySegment01.

     GET : https://<NSX MANAGER IP>/policy/api/v1/infra/segments/PolicySegment01/ports

  2. For each logical port listed in above call, make the following call.

     DELETE : https://<NSX MANAGER IP>/api/v1/logical-ports/<LOGICAL PORT UUID>?detach=true

  Once all ports attached are deleted, the Segment can be deleted.

• Issue 2866751: Consolidated effective membership API does not list static IPs in the response for a shadow group.

  No functional or datapath impact. You will not see the static IPs in the GET consolidated effective membership API for a shadow group. This is applicable only for a shadow group (also called reference groups).

  Workaround: Check the consolidated effective membership of a shadow group on its original site.

• Issue 2869356: Error is displayed on Management Plane when you click the "Overview" tab for an NSGroup with IPSet members.

  Poor user experience.

  Workaround: None.

• Issue 2872658: After Site-registration, UI displays an error for “Unable to import due to these unsupported features: IDS”.

  There is no functional impact. Config import is not supported in NSX-T 3.2.

  Workaround: Remove IDS config from Local Manager and retry registration.

• Issue 2877628: When attempting to install Security feature on an ESX host switch VDS version lower than 6.6, an unclear error message is displayed.

  The error message is shown via the UI and API.

  Workaround: Use VDS version greater than or equal to 6.6 on ESX to install NSX security.

• Issue 2877776: "get controllers" output may show stale information about controllers that are not the master when compared to the controller-info.xml file.

  This CLI output is confusing.

  Workaround: Restart nsx-proxy on that TN.

• Issue 2879119: When a virtual router is added, the corresponding kernel network interface does not come up.

  Routing on the vrf fails. No connectivity is established for VMs connected through the vrf.

  Workaround: Restart the dataplane service.

• Issue 2881168: LogicalPort GET API output is in expanded format "fc00:0:0:0:0:0:0:1" as compared to previous format "fc00::1".

  LogicalPort GET API output in NSX-T 3.2 is in expanded format "fc00:0:0:0:0:0:0:1" as compared to NSX-T 3.0 format "fc00::1".

  Workaround: None.

• Issue 2882822: Temporary IPSets are not added to SecurityGroups used in EDGE Firewall rules / LB pool members during NSX for vSphere to NSX-T config migration.

  During migration, there may be a gap until the VMs/VIFs are discovered on NSX-T and are a part of the SGs to which they are applicable to via static/dynamic memberships. This can lead to traffic being dropped or allowed contrary to the Edge Firewall rules in the period between the North/South Cutover (N/S traffic going through NSX-T gateway) until the end of the migration.

  Workaround: Add a fake DFW rule in which the source / destination contains all the Security Groups consumed in the Edge FW. Another option is to move Edge Firewall rules source and destination to IPsets before the migration.

• Issue 2884070: If there is a mismatch of MTU setting between NSX-T edge uplink and peering router, OSPF neighbor-ship gets stuck in Exstart state. During NSX for vSphere to NSX-T migration, the MTU is not automatically migrated so a mismatch can impact dataplane during North/South Edge cutover.

  OSPF adjacency is stuck in Exstart state.

  Workaround: Manually configure matching MTU on OSPF neighbor interfaces before doing Edge cutover.

• Issue 2884416: Load balancer status cannot be refreshed timely.

  Wrong load balancer status.

  Workaround: Stop load balancer stats collection.

• Issue 2885009: Global Manager has additional default Switching Profiles after upgrade.

  No functional impact.

  Workaround: You are not expected to use the default Switching Profiles starting with the prefix "nsx-default".

• Issue 2885248: For InterVtep scenario, if EdgeVnics are connected to NSX Portgroups (irrespective of vlan on Edge VM and ESX Host), the north-south traffic between workloads VMs on the ESX and the Edge stops working as ESX drops packets that are destined for the Edge VTEP.

  Workaround: Update EdgeTN by disconnecting the Segments from its interfaces and re-connecting them.

• Issue 2885330: Effective member not shown for AD group.

  Effective members of AD group not displayed. No datapath impact.

  Workaround: None.

• Issue 2885552: If you have created an LDAP Identity Source that uses OpenLDAP, and there is more than one LDAP server defined, only the first server is used.

  If the first LDAP server becomes unavailable, authentication fails, instead of trying the rest of the configured OpenLDAP server(s).

  Workaround: If it is possible to place a load balancer in front of the OpenLDAP servers and configure NSX with the virtual IP of the load balancer, you can have high availability.

• Issue 2886210: During restore, if the VC is down, a Backup/Restore dialog will appear telling the user to ensure that VC is up and running, however the IP address of the VC is not shown.

  the IP address of the VC is not shown during Restore for VC connectivity.

  Workaround: Check that all registered VCs are running before proceeding to the next restore step.

• Issue 2886971: Groups created on Global Manager are not cleaned up post delete. This happens only if that Group is a reference group on a Local Manager site.

  No functional impact; however, you cannot create another Group with the same policypath as the deleted group.

  Workaround: None.

• Issue 2887037: Post Manager to Policy object promotion, NAT rules cannot be updated or deleted.

  This happens when NAT rules are created by a PI (Principal Identity) user on Manager before promotion is triggered. PI user created NAT rules cannot be updated or deleted post Manager to Policy object promotion.

  Workaround: NAT rules with the same configuration can be created with a non-protected user like "admin" before Manager to Policy object promotion.

• Issue 2888207: Unable to reset local user credentials when vIDM is enabled.

  You will be unable to change local user passwords while vIDM is enabled.

  Workaround: vIDM configuration must be (temporarily) disabled, the local credentials reset during this time, and then integration re-enabled.

• Issue 2889748: Edge Node delete failure if redeployment has failed. Delete leaves stale intent in system which gets displayed on UI.

  Though Edge VM will be deleted, stale edge intent and internal objects will be retained in the system and delete operation will be retried internally. No functionality impact as Edge VMs are deleted and only intent has stale entries.

  Workaround: None.

• Issue 2875962: Upgrade workflow for Cloud Native setups is different from NSX-T 3.1 to NSX-T 3.2.

  Following the usual workflow will erase all CSM data.

  Workaround: The upgrade requires VMware assistance. Contact VMware Support.

• Issue 2888658: Significant performance impact in terms of connections per second and throughput observed on NSX-T Gateway Firewall when Malware Detection and Sandboxing feature is enabled.

  Any traffic subject to malware detection experiences significant latencies and possibly connection failures. When malware detection is enabled on the gateway, it will also impact L7FW traffic causing latencies and connection failures.

  Workaround: Limit the amount of traffic that is subject to malware detection by writing IDS rules that match only a small subsection of the traffic.

• Issue 2882574: Blocked 'Brownfield Config Onboarding' APIs in NSX-T 3.2.0 release as the feature is not fully supported.

  You will not be able to use the 'Brownfield Config Onboarding' feature.

  Workaround: None.

• Issue 2890348: Renaming the default VNI pool causes inconsistent VNI pool when upgrading to NSX-T 3.2.

  VNI allocation and related operations may fail.

  Workaround: Prior to upgrading to NSX-T 3.2, rename the default VNI pool to DefaultVniPool using the API PUT https://{{url}}/api/v1/pools/vni-pools/<vni-pool-id>.

• Issue 2885820: Missing translations for some IP addresses for IP range starting with 0.0.0.0.

  NSGroup with IP range starting with 0.0.0.0 (for example, "0.0.0.0-255.255.255.0"), has translation issues (missing 0.0.0.0/1 subnet).

  NSGroup with IP range "1.0.0.0-255.255.255.0" are unaffected.

  Workaround: To configure groups with IP range starting with 0.0.0.0, manually add 0.0.0.0/1 in the group configuration.

• Issue 2871440: Workloads secured with NSX Security on vSphere dvPortGroups lose their security settings when they are vMotion to a host connected to a NSX Manager that is down.

  For clusters installed with the NSX Security on vSphere dvPortGroups feature, VMs that are vMotion to hosts connected to a downed NSX Manager do not have their DFW and security rules enforced. These security settings are re-enforced when connectivity to NSX Manager is re-established.

  Workaround: Avoid vMotion to affected hosts when NSX Manager is down. If other NSX Manager nodes are functioning, vMotion the VM to another host that is connected to a healthy NSX Manager.

• Issue 2945515: NSX tools upgrade in Azure can fail on Redhat Linux VMs.

  By default, NSX tools is installed on the /opt directory. However, during NSX tools installation, the default path can be overwritten with the "--chroot-path" option passed to the install script.

  Insufficient disk space on the partition where NSX tools is installed can cause the NSX tools upgrade to fail.

  Workaround: None.

• Issue 2875563: Delete IN_PROGRESS LTA session may cause PCAP file leak.

  The PCAP file will leak if a LTA is deleted with PCAP action when the LTA session state is "IN_PROGRESS". This may cause the /tmp partition of the ESXi to be full.

  Workaround: Clearing the /tmp partition may help.

• Issue 2875667: Downloading the LTA PCAP file results in error when the NSX /tmp partition is full.

  The LTA PCAP file cannot be downloaded due to the /tmp partition being full.

  Workaround: Clearing the /tmp partition may help.

• Issue 2883505: PSOD on ESXi hosts during NSX V2T migration.

  PSOD (Purple Screen of Death) on multiple ESXi hosts during V2T migration. This results in a datapath outage.

  Workaround: None.

• Issue 2914934: DFW rules on dvPortGroups are lost after migrating NSX-V to NSX-T.

  After a NSX-V to NSX-T migration, any workload that is still connected to vSphere dvPortGroup will not have DFW configuration.

  Workaround: After a NSX-V to NSX-T migration, VLAN segments are configured having an identical DFW configuration. Use the VLAN segments instead of the dvPortGroups.

  Another workaround is to uninstall NSX-V and then install NSX-T in security-only mode. You can then use workloads on existing dvPortGroups.

• Issue 2921704: Edge Service CPU may spike due to nginx process deadlock when using L7 load balancer with ip-hash load balancing algorithm.

  The backend servers behind the load balancer cannot be connected to.

  Workaround: Switch to the L4 engine to remediate the issue. If you want to keep using the L7 load balancer, change the load balancing algorithm to round-robin instead of ip-hash.

• Issue 2933905: Replacing an NSX-T Manager results in transport nodes losing connection to the controller.

  Adding or removing a node in the Manager cluster can result in some transport nodes losing controller connectivity.

  Workaround: Restart the nsx proxy service on impacted transport nodes anytime a Manager is added or removed from the management cluster. This will repopulate controller-info.xml and allow the controller connection to come up.

• Issue 2927442: Traffic sometimes hits the default deny DFW rule on VMs across different hosts and clusters since the NSX-T 3.2.0.1 upgrade.

  Some PSOD issues occurred after the NSX for vSphere migration to NSX-T 3.1.3. Therefore, it was recommended to upgrade to 3.2.0.1. However, since then the hosts do not apply the Distributed Firewall rules consistently. Different hosts match different rules, which are not consistent and not expected.

  Workaround:

  - If the above exception is seen on a specific controller it can be rebooted to temporarily resolve the issue.

  - Also, if the issue is impacting DFW, any/any allow rules can be created at the top of the rules list to bypass unwanted block rules getting hit.

• Issue 2937810: The datapath service fails to start and some Edge bridge functions (for example, Edge bridge port) do not work.

  If Edge bridging is enabled on Edge nodes, the Central Control Plane (CCP) sends the DFW rules to the Edge nodes, which should only be sent to host nodes. If the DFW rules contain a function which is not supported by the Edge firewall, the Edge nodes cannot handle the unsupported DFW configuration, which causes the datapath to fail to start.

  Workaround: Remove or disable the DFW rules, which are not supported by the Edge firewall.