What's New

Feature Deprecation

API Deprecation and Behavior Changes

Compatibility and System Requirements

Upgrade Notes for This Release

API and CLI Resources

Available Languages

Document Revision History

Resolved Issues

• Fixed Issue 2852146: When both the access token and the refresh token are expired at the same time when using vIDM, the first request will fail with a 403 error even with correct credentials.

  After the refresh token expires, attempting to create a new session will first be met with a 403 error. Subsequent attempts will succeed.

• Fixed Issue 2914689: When there is an exception during host unprep, host remains in an uninstalling state.

  The host remains in uninstalling state on the UI. DB record updating also does not happen.

• Fixed Issue 2920857: TCP MSS of SYN packets leaving T0 uplinks is not being correctly calculated from interface MTU.

  PMTU is forwarded to the Linux properly but mss is not changed due to the asymmetric forwarding path on the Linux side. The ICMP error message (mtu too big) is not forwarded to the Linux kernel.

• Fixed Issue 2932398: If a trunk segment has a large VLAN range and is attached to a VRF access port, the trunk logical router port on T0 fails to get realized die to VLAN conflict.

  If a trunk segment has a large VLAN ranges and is attached to a VRF’s access port, the trunk logical router port on T0 is failed to be realized due to VLAN conflict. T0 is then stuck in failed status. Later the deletion of VRF still fails to delete the realization entity of the trunk logical router port due to a timing issue. This causes that T0 stuck in failed status.

• Fixed Issue 2937981: NSX reinstallation on ESXi stops at 96%.

  The transport node realization progress on the UI shows 96%. The deployment_progress_state through the transport node state API reflects this as well.

• Fixed Issue 2946589: ESXi hosts reported "UNKNOWN" state in NSX and VMs lost networking.

  1. ESXi Host reported "UNKNOWN" status in NSX UI (NSX controller status showed not available)

  2. VMs lost networking after migrating to this host

  3. VMs ports could be in a blocked state

• Fixed Issue: 2957417: MP UI is not showing the correct route-map with AS-PATH prepend format of because of Model to Dto conversion.

  MP UI is not showing the correct route-map with AS-PATH prepend format. It is not showing to AS PLAIN or DOTTED format.

• Fixed Issue 2966210: Message of the day in CLI is not accepting special characters.

  Customer was trying to set the motd (message of the day) with a special character. It was showing the below error.API [ PUT https://<nsx-mgr>/api/v1/node ] ("error_code": 36102, "error_message": "Error setting message of the day.", "module_name": "node-services”).

• Fixed Issue 2880193: DHCP relay failing to provide IPv6 addresses from DHCPv6 server.

• Fixed Issue 2921515: Random traffic interruption due to dvfilter channel lockup.

  The dvfilter communication channel between kernel and userspace gets stuck after running traffic for some time. The result is that packets cannot be sent out afterwards.

• Fixed Issue 2928071: Force delete on the host does not work once the host and manager connection is down.

  The host remains in the manager DB and the user is unable to remove it.

• Fixed Issue: 2932465: Password printed in log.

  auth_password and priv_password printed in log.

• Fixed Issue 2937814: NSX API call fails to return overlay_id (VNI).

  There is an "Unable to find layer 2 id for segment" error. Unable to extend the L2 network.

• Fixed Issue 2946392: The hanging nslookup command blocked FQDN lookup metrics collector in SHA.

  FQDN lookup metrics collector in SHA executed nslookup command to collect info. It was blocked to wait for the hanging command. The former FQDN lookup alarm hadn't been removed till the hanging commands terminated.

• Fixed Issue 2949077: Certificate pre-check is failing during upgrade.

  During pre-check a list of certificates are marked invalid and need to be replaced

• Fixed Issue 2950628: NSX manager loses connectivity with ESXi host after host upgrade.

  After multi-hop upgrade of ESXi host from 6.7 u3 --> 7.0 u3c--> 7.0 u3d,the host is not responding and connectivity with NSX manager is lost. If we try to create vmk port then we get following error: "unable to add vmkernel network interface: Error was: unable to get node: not implemented"

• Fixed Issue 2951440: MP MTU value set by the user was overwritten by PolicyDefault MTU value of 1500 on upgrade and restart of the policy manager.

  Post Upgrade Service Uplink MTU settings are not getting applied to the CGW segments.

• Fixed Issue 2954926: PSOD after vMotion of VMs in an environment with sink port (primarily HCX environment) connected to vSphere DVPG and MAC learning enabled ports in the same DVS (either from NSX or vSphere).

• Fixed Issue 2957476: Out of order packets incoming to nsx-idps are silently dropped.

  Out of order packets incoming to nsx-idps are silently dropped, resulting in drop count per profile incrementing.

• Fixed Issue 2958252: VDS IPFIX does not function with NSX installed.

  Collector does not receive correctly sampled flows by VDS IPFIX.

• Fixed Issue 2958765: Handle non-existing cluster gracefully.

  When policy API enables or disables IDFW on a non-existing cluster, a null pointer error will occur. This needs to be handled gracefully.

• Fixed Issue 2958808: PSOD was observed in the process of changing IPFIX configuration.

  The host will not be responsive after PSOD.

• Fixed Issue 2961029: NSX Manager upgrade retry operation shrinks corfu database and keep it in same state even after successful upgrade.

  Corfu database is in shrink state even after successful upgrade.

• Fixed Issue 2966254: The edge dp coredump is seen when both control prior and service core are enabled.

• Fixed issue 2971114: Loss of connection to Edge due to datapath refcount issue.

  Loss of connection to the Edge, and the following logs seen in syslog: "PAX: refcount overflow detected" "PAX: refcount error occurred at: scsi_sanitize_inquiry_string+0xc4/0x106 [smartpqi]".

• Fixed Issue 2982579: Realization of DFW Rule containing Pure AD Policy Groups fails after upgrade to 3.2.1 , if the DFW Rule is updated after upgrade.

  Realization failure of DFW Rule containing Pure AD Groups.

• Fixed Issue 2974706: Controller failed to join cluster due to failure in re-sync with replication service upon service restart.

  Controller failed to join cluster due to failure in re-sync with replication service upon service restart.

• Fixed Issue 2990847: Cross-site route sync for stretched Tier0 gateway didn't resume when interfaces were re-created after deleting all the interfaces on the edge nodes of one site.

  When Tier0 is stretched to more than one, it establishes sessions over internal routing backplane between Tier0 service router. These remote IBGP session remains in connect state.

• Fixed Issue 2930824: vRA edges from old setup were probably not cleaned properly. Those edges were causing connectivity issue because they were not getting populated in vra_input.json.

  vRA makes a connection from VCenter and not from NSX-V. So these stale edges had connections made from VCenter. Those were not getting identified during migration

• Fixed Issue 3006369: MPS feature activation fails because of missing license information in platform-licenses configmap.

  1) Common agent updates the configmap "platform-licenses" on platform install. This contains license information and is a pre-requisite for reputation service to function correctly.

  2) In some instances, common agent fails to update the correct license information and hence, the CrashLoopBackOff errors in reputation-service.

• Fixed Issue 2964713: Rules with more than 15 ports are allowed to publish only to fail in later stages.

  Customer may not know that the rule fails to publish / realize out of this reason.

• Fixed issue 2964752: Page leak in shared memory setup by dvfilter library for vDPI.

  1. When packets needs to be dropped from vDPI, due to internal queue being full or TxRing is full, it drops them via IOCTL provided by dvfilter library 2. At high rate, IOCTL can fail and lead to page(associated with packets) leak.

  3. As number of page leaks increase, temporary or permanent traffic loss will be observed If all pages are leaked, then packets cannot be sent from vmkernel to VDPI and leads to traffic loss.

• Fixed Issue 2994665: Unable to delete T0 Gateway and its interfaces.

  Customer was using troubleshooting API to delete interfaces. This failed because of an incorrect request parameter.

• Fixed Issue 2969847: Incorrect DSCP priority.

  DSCP priority from a custom QoS profile is not propagated to host when the value is 0, resulting in traffic prioritization issues.

• Fixed Issue 2879979: IKE service may not initiate new IPsec route based session after "dead peer detection" has happened due to IPsec peer being unreachable.

  There could be outage for specific IPsec route based session.

• Fixed Issue 2879734: Configuration fails when same self signed certificate is used in two different IPsec local endpoints.

  "Configuration failed" error is seen for the second IPsec session using the same self signed certificate

• Fixed Issue 2816781: Physical servers cannot be configured with a load-balancing based teaming policy as they support a single VTEP.

  TransportNode installation will go in a failure state. You won't be able to configure physical servers with a load-balancing based teaming policy.

• Fixed Issue 2879119: When a virtual router is added, the corresponding kernel network interface does not come up.

  Routing on the vrf fails. No connectivity is established for VMs connected through the vrf.

• Fixed Issue 2874995: LCores priority may remain high even when not used, rendering them unusable by some VMs.

  Performance degradation for "Normal Latency" VMs.

• Fixed Issue 2854139: Continuous addition/removal of BGP routes into RIB for a topology where Tier0 SR on edge has multiple BGP neighbors and these BGP neighbors are sending ECMP prefixes to the Tier0 SR.

  Traffic drop for the prefixes that are getting continuously added/deleted.

• Fixed Issue 2839782: Unable to upgrade from NSX-T 2.4.1 to 2.5.1 because CRL entity is large, and Corfu imposes a size limit in 2.4.1, thereby preventing the CRL entity from being created in the Corfu during upgrade.

  Unable to upgrade.

• Fixed Issue 2561988: All IKE/IPSEC sessions are temporarily disrupted.

  Traffic outage will be seen for some time.

• Fixed Issue 2945515: NSX tools upgrade in Azure can fail on Redhat Linux VMs.

  By default, NSX tools are installed on /opt directory. However, during NSX tools installation default path can be overridden with "--chroot-path" option passed to the install script.

  Insufficient disk space on the partition where NSX tools is installed can cause NSX tools upgrade to fail.

Known Issues

• Issue 2663483: The single-node NSX Manager will disconnect from the rest of the NSX Federation environment if you replace the APH-AR certificate on that NSX Manager.

  This issue is seen only with NSX Federation and with the single node NSX Manager Cluster. The single-node NSX Manager will disconnect from the rest of the NSX Federation environment if you replace the APH-AR certificate on that NSX Manager.

  Workaround: Single-node NSX Manager cluster deployment is not a supported deployment option, so have three-node NSX Manager cluster.

• Issue 3005685: When configuring an Open ID Connect connection as an NSX LM authentication provider, customers may encounter errors.

  OpenID Connect configuration produces errors on configuration.

  Workaround: None.

• Issue 2879133: Malware Prevention feature can take up to 15 minutes to start working.

  When the Malware Prevention feature is configured for the first time, it can take up to 15 minutes for the feature to be initialized. During this initialization, no malware analysis will be done, but there is no indication that the initialization is occurring.

  Workaround: Wait 15 minutes.

• Issue 2868944: UI feedback is not shown when migrating more than 1,000 DFW rules from NSX for vSphere to NSX-T Data Center, but sections are subdivided into sections of 1,000 rules or fewer.

  UI feedback is not shown.

  Workaround: Check the logs.

• Issue 2865273: Advanced Load Balancer (Avi) search engine won't connect to Avi Controller if there is a DFW rule to block ports 22, 443, 8443 and 123 prior to migration from NSX for vSphere to NSX-T Data Center.

  Avi search engine is not able to connect to the Avi Controller.

  Workaround: Add explicit DFW rules to allow ports 22, 443, 8443 and 123 for SE VMs or exclude SE VMs from DFW rules.

• Issue 2864929: Pool member count is higher when migrated from NSX for vSphere to Avi Load Balancer on NSX-T Data Center.

  You will see a higher pool member count. Health monitor will mark those pool members down but traffic won't be sent to unreachable pool members.

  Workaround: None.

• Issue 2719682: Computed fields from Avi controller are not synced to intent on Policy resulting in discrepancies in Data shown on Avi UI and NSX-T UI.

  Computed fields from Avi controller are shown as blank on the NSX-T UI.

  Workaround: App switcher to be used to check the data from Avi UI.

• Issue 2848614: When joining an MP to an MP cluster where publish_fqdns is set on the MP cluster and where the forward or reverse lookup entry missing in external DNS server or dns entry missing for joining node, forward or reverse alarms are not generated for the joining node.

  Forward/Reverse alarms are not generated for the joining node even though forward/reverse lookup entry is missing in DNS server or dns entry is missing for the joining node.

  Workaround: Configure the external DNS server for all Manager nodes with forward and reverse DNS entries.

• Issue 2871585: Removal of host from DVS and DVS deletion is allowed for DVS versions less than 7.0.3 after NSX Security on vSphere DVPortgroups feature is enabled on the clusters using the DVS.

  You may have to resolve any issues in transport node or cluster configuration that arise from a host being removed from DVS or DVS deletion.

  Workaround: None.

• Issue 2870085: Security policy level logging to enable/disable logging for all rules is not working.

  You will not be able to change the logging of all rules by changing "logging_enabled" of security policy.

  Workaround: Modify each rule to enable/disable logging.

• Issue 2866682: In Microsoft Azure, when accelerated networking is enabled on SUSE Linux Enterprise Server (SLES) 12 SP4 Workload VMs and with NSX Agent installed, the ethernet interface does not obtain an IP address.

  VM agent doesn't start and VM becomes unmanaged.

  Workaround: Disable Accelerated networking.

• Issue 2884939: NSX-T Policy API results in error: Client 'admin' exceeded request rate of 100 per second (Error code: 102).

  The NSX rate limiting of 100 requests per second is reached when we migrate a large number of VS from NSX for vSphere to NSX-T ALB and all APIs are temporarily blocked.

  Workaround: Update Client API rate limit to 200 or more requests per second.

  Note: There is fix on AVI version 21.1.4 release.

• Issue 2792485: NSX manager IP is shown instead of FQDN for manager installed in vCenter.

  NSX-T UI Integrated in vCenter shows NSX manager IP instead of FQDN for installed manager.

  Workaround: None.

• Issue 2888207: Unable to reset local user credentials when vIDM is enabled.

  You are unable to change local user passwords while vIDM is enabled.

  Workaround: vIDM configuration must be (temporarily) disabled, the local credentials reset during this time, and then integration re-enabled.

• Issue 2885330: Effective member not shown for AD group.

  Effective members of AD group not displayed. No datapath impact.

  Workaround: None.

• Issue 2877776: "get controllers" output may show stale information about controllers that are not the master when compared to the controller-info.xml file.

  This CLI output is confusing.

  Workaround: Restart nsx-proxy on that TN.

• Issue 2853889: When creating EVPN Tenant Config (with vlan-vni mapping), Child Segments are created, but the child segment's realization status gets into failed state for about 5 minutes and recovers automatically.

  It will take 5 minutes to realize the EVPN tenant configuration.

  Workaround: None. Wait 5 minutes.

• Issue 2690457: When joining an MP to an MP cluster where publish_fqdns is set on the MP cluster and where the external DNS server is not configured properly, the proton service may not restart properly on the joining node.

  The joining manager will not work and the UI will not be available.

  Workaround: Configure the external DNS server with forward and reverse DNS entries for all Manager nodes.

• Issue 2490064: Attempting to disable VMware Identity Manager with "External LB" toggled on does not work.

  After enabling VMware Identity Manager integration on NSX with "External LB", if you attempt to then disable integration by switching "External LB" off, after about a minute, the initial configuration will reappear and overwrite local changes.

  Workaround: When attempting to disable vIDM, do not toggle the External LB flag off; only toggle off vIDM Integration. This will cause that config to be saved to the database and synced to the other nodes.

• Issue 2355113: Workload VMs running RedHat and CentOS on Azure accelerated networking instances is not supported.

  In Azure when accelerated networking is enabled on RedHat or CentOS based OS's and with NSX Agent installed the ethernet interface does not obtain an IP address.

  Workaround: Disable accelerated networking for RedHat and CentOS based OS.

• Issue 2684574: If the edge has 6K+ routes for Database and Routes, the Policy API times out.

  These Policy APIs for the OSPF database and OSPF routes return an error if the edge has 6K+ routes: /tier-0s/<tier-0s-id>/locale-services/<locale-service-id>/ospf/routes /tier-0s/<tier-0s-id>/locale-services/<locale-service-id>/ospf/routes?format=csv /tier-0s/<tier-0s-id>/locale-services/<locale-service-id>/ospf/database /tier-0s/<tier-0s-id>/locale-services/<locale-service-id>/ospf/database?format=csv If the edge has 6K+ routes for Database and Routes, the Policy API times out. This is a read-only API and has an impact only if the API/UI is used to download 6k+ routes for OSPF routes and database.

  Workaround: Use the CLI commands to retrieve the information from the edge.

• Issue 2574281: Policy will only allow a maximum of 500 VPN Sessions.

  NSX claims support of 512 VPN Sessions per edge in the large form factor, however, due to Policy doing auto plumbing of security policies, Policy will only allow a maximum of 500 VPN Sessions. Upon configuring the 501st VPN session on Tier0, the following error message is shown: {'httpStatus': 'BAD_REQUEST', 'error_code': 500230, 'module_name': 'Policy', 'error_message': 'GatewayPolicy path=[/infra/domains/default/gateway-policies/VPN_SYSTEM_GATEWAY_POLICY] has more than 1,000 allowed rules per Gateway path=[/infra/tier-0s/inc_1_tier_0_1].'}

  Workaround: Use Management Plane APIs to create additional VPN Sessions.

• Issue 2838613: For ESX version less than 7.0.3, NSX security functionality not enabled on VDS upgraded from version 6.5 to a higher version after security installation on the cluster.

  NSX security features are not enabled on the the VMs connected to VDS upgraded from 6.5 to a higher version (6.6+) where NSX Security on vSphere DVPortgroups feature is supported.

  Workaround: After VDS is upgraded, reboot the host and power on the VMs to enable security on the VMs.

• Issue 2799371: IPSec alarms for L2 VPN are not cleared even though L2 VPN and IPSec sessions are up.

  No functional impact except that unnecessary open alarms are seen.

  Workaround: Resolve alarms manually.

• Issue 2584648: Switching primary for T0/T1 gateway affects northbound connectivity.

  Location failover time causes disruption for a few seconds and may affect location failover or failback test.

  Workaround: None.

• Issue 2491800: AR channel SSL certificates are not periodically checked for their validity, which could lead to using an expired/revoked certificate for an existing connection.

  The connection would be using an expired/revoked SSL.

  Workaround: Restart the APH on the Manager node to trigger a reconnection.

• Issue 2558576: Global Manager and Local Manager versions of a global profile definition can differ and might have an unknown behavior on Local Manager.

  Global DNS, session, or flood profiles created on Global Manager cannot be applied to a local group from UI, but can be applied from API. Hence, an API user can accidentally create profile binding maps and modify global entity on Local Manager.

  Workaround: Use the UI to configure system.

• Issue 2950206: CSM is not accessible after MPs are upgraded and before CSM upgrade.

  When MP is upgraded, the CSM appliance is not accessible from the UI until the CSM appliance is upgraded completely. NSX services on CSM are down at this time. It's a temporary state where CSM is inaccessible during an upgrade. The impact is minimal.

  Workaround: This is an expected behavior. You have to upgrade the CSM appliance to access CSM UI and ensure all services are running.

• Issue 2882154: Some of the pods are not listed in the output of "kubectl top pods -n nsxi-platform".

  The output of "kubectl top pods -n nsxi-platform" will not list all pods for debugging. This does not affect deployment or normal operation. For certain issues, debugging may be affected.  There is no functional impact. Only debugging might be affected.

  Workaround: There are two workarounds:

  • Workaround 1: Make sure the Kubernetes cluster comes up with version 0.4.x of the metrics-server pod before deploying NAPP platform. This issue is not seen when metrics-server 0.4.x is deployed.
  • Workaround 2: Delete the metrics-server instance deployed by the NAPP charts and deploy upstream Kubernetes metrics-server 0.4.x.

• Issue 2871440: Workloads secured with NSX Security on vSphere dvPortGroups lose their security settings when they are vMotioned to a host connected to an NSX Manager that is down.

  For clusters installed with the NSX Security on vSphere dvPortGroups feature, VMs that are vMotioned to hosts connected to a downed NSX Manager do not have their DFW and security rules enforced. These security settings are re-enforced when connectivity to NSX Manager is re-established.

  Workaround: Avoid vMotion to affected hosts when NSX Manager is down. If other NSX Manager nodes are functioning, vMotion the VM to another host that is connected to a healthy NSX Manager.

• Issue 2898020: The error 'FRR config failed:: ROUTING_CONFIG_ERROR (-1)' is displayed on the status of transport nodes.

  The edge node rejects a route-map sequence configured with a deny action that has more than one community list attached to its match criteria. If the edge nodes do not have the admin intended configuration, it results in unexpected behavior.

  Workaround: None

• Issue 2910529: Edge loses IPv4 address after DHCP allocation.

  After the Edge VM is installed and received an IP from DHCP server, within a short time it loses the IP address and becomes inaccessible. This is because the DHCP server does not provide a gateway, hence the Edge node loses IP.

  Workaround: Ensure that the DHCP server provides the proper gateway address. If not, perform the following steps:

  1. Log in to the console of Edge VM as an admin.
  2. Stop service dataplane.
  3. Set interface <mgmt intf> dhcp plane mgmt.
  4. Start service dataplane.

• Issue 2942900: The identity firewall does not work for event log scraping when Active Directory queries time out.

  The identity firewall issues a recursive Active Directory query to obtain the user's group information. Active Directory queries can time out with a NamingException 'LDAP response read timed out, timeout used: 60000 ms'. Therefore, firewall rules are not populated with event log scraper IP addresses.

  Workaround: To improve recursive query times, Active Directory admins may organize and index the AD objects.

• Issue 2958032: If you are using NSX-T 3.2 or upgrading to an NSX-T 3.2 maintenance release, the file type is not shown properly and is truncated at 12 characters on the Malware Prevention dashboard.

  On the Malware Prevention dashboard, when you click to see the details of the inspected file, you will see incorrect data because the file type will be truncated at 12 characters. For example, for a file with File Type as WindowsExecutableLLAppBundleTarArchiveFile, you will only see WindowsExecu as File Type on Malware Prevention UI.

  Workaround: Do a fresh NAPP installation with an NSX-T 3.2 maintenance build instead of upgrading from NSX-T 3.2 to an NSX-T 3.2 maintenance release.

• Issue 2954520: When Segment is created from policy and Bridge is configured from MP, detach bridging option is not available on that Segment from UI.

  You will not be able to detach or update bridging from UI if Segment is created from policy and Bridge is configured from MP.

  If a Segment is created from the policy side, you are advised to configure bridging only from the policy side. Similarly, if a Logical Switch is created from the MP side, you should configure bridging only from the MP side.

  Workaround: You need to use APIs to remove bridging:

  1. Update concerned LogicalPort and remove attachment

  PUT :: https://<mgr-ip>/api/v1/logical-ports/<logical-port-id> Add this to headers in PUT payload headers field -> X-Allow-Overwrite : true

  2. DELETE BridgeEndpoint

  DELETE :: https://<mgr-ip>/api/v1/bridge-endpoints/<bridge-endpoint-id>

  3. Delete LogicalPort

  DELETE :: https://<mgr-ip>/api/v1/logical-ports/<logical-port-id>

• Issue 2889482: The wrong save confirmation is shown when updating segment profiles for discovered ports.

  The Policy UI allows editing of discovered ports but does not send the updated binding map for port update requests when segment profiles are updated. A false positive message is displayed after clicking Save. Segments appear to be updated for discovered ports, but they are not.

  Workaround: Use MP API or UI to update the segment profiles for discovered ports.

• Issue 2919218: Selections made to the host migration are reset to default values after the MC service restarts.

  After the restart of the MC service, all the selections relevant to host migration such as enabling or disabling clusters, migration mode, cluster migration ordering, etc., that were made earlier are reset to default values.

  Workaround: Ensure that all the selections relevant to host migration are performed again after the restart of the MC service.

• Issue 2931403: Network interface validation prevents API users from performing updates.

  An Edge VM network interface can be configured with network resources such as port groups, VLAN logical switches, or segments that are accessible for specified compute and storage resources. Compute-Id regroup moref in intent is stale and no longer present in VC after a power outage (moref of resource pool changed after VC was restored).

  Workaround: Redeploy edge and specify valid moref Ids.