What's New

Feature and API Deprecations, Behavior Changes

Compatibility and System Requirements

Upgrade Notes for This Release

Available Languages

Document Revision History

Resolved Issues

• Fixed Issue 3180650: In medium edge, malloc heap exhaustion alarm is triggered in a new deployment.

  Alarm is observed in the manager UI, but there is no functional impact.

• Fixed Issue 3157441: Traffic bursts may cause TX drops in VM edge datapath.

  Packets are dropped when edge datapath attempts to transmit them.

• Fixed Issue 3308657: When creating firewall sections with very large number of rules, the create/delete rule API response is taking more than 30 minutes.

  This slowness causes 409/500 errors or slowness in API executions for PODS to come up.

• Fixed Issue 3240118: FirewallRule addition in FirewallSection takes longer time than expected to be realized on hosts or edge nodes.

  There will be a delay in rule realization to hosts.

• Fixed Issue 3098356: New tier-0 interface not created on edge node.

  New updates on tier-0 gateway will not get realized on edge node. For example, creation of new external interface.

• Fixed Issue 3279659: Not able to access GMs (Active/Standby) after NSX managers  were  upgraded to 4.0.x from 3.2.x in a Federation environment and one of the LM in that Federation environment is on 3.2.x.

  In a Federation environment, users will not be able to access GMs (Active/Standby) after NSX managers  were  upgraded to 4.0.x from 3.2.x.

• Fixed Issue 3282595: “nsx-cbm” user does not have write permissions for private keystore files  -> /config/cluster-manager/<service_name>/private.

  After upgrade to 4.1.1, permissions on private keystore files should get modified upon CBM restart but CBM init script did not update the permissions. If you replace (apply new cert) any CBM_* certificate, then the replacement operation will not finish due to the file permissions issue. If new CBM_MP cert was applied and cert replacement fails, then proton will not come up after restart as it will not be able to connect to Corfu due to SSL cert errors. Because of this issue, UI might become inaccessible with the manager IP when proton on that manager does not come up.

• Fixed Issue 3106689: VLAN Traceflow cannot automatically detect and replace the gateway MAC to destination MAC when the source and destination are in a different VLAN segment.

  You will see the exception, "Logical port does not support L3 logical routing and requires manually specifying L2 destination MAC of gateway."

• Fixed Issue 3100367: The alarm, "The service nsx-opsagent has been unresponsive for 10 seconds" appears intermittently.

  No functional impact.

• Fixed Issue 3097907: Opsagent core dump when DVS lib runs into invalid pointer problem.

  The core dump can interrupt the ongoing processes in opsagent, such as transport node installation, but the core dump can be recovered automatically.

• Fixed Issue 3053340: Unable to delete NAPP (NSX Application Platform) from NSX.

  Unable to delete NAPP when Helm repo is inaccessible. Helm repo access is required for all NAPP operations.

• Fixed Issue 3053507: Logging long messages causes "Message too long" exception when sent to socket().

  Logging exceptions will cause the migration operation to fail. This can be at any stage of the migration.

• Fixed Issue 3076708: Segment ports not created for VMs connected to one of the security enabled clusters when the connection between vCenter and NSX Manager is down.

  When connection between vCenter and NSX Manager is down and when the customer creates a Distributed Virtual Portgroup and attaches a VM to that Distributed Virtual Portgroup, the logical port creation fails as the logical switch is missing.

• Fixed Issue 3099061: NSX Public Cloud Gateway (PCG) deployment failed in Azure due to missing Mellanox NIC driver.

  Unable to deploy and use NSX PCG in Azure.

• Fixed Issue 3119522: Managing the network latency after Distributed Firewall is enabled.

  Some latency bound applications protected by Distributed Firewall might  experience disconnects or unintended behavior.

• Fixed Issue 3241202: Tier-1 CSP subnets stop getting advertised to the connected Tier-0 if the edge cluster of Tier-1 gateway is changed.

  North-South datapath will break for Tier-1 CSP subnets.

• Fixed Issue 3114135: Policy identity store configuration is not synced to manager.

  Some policy identity firewall configurations might be missed on manager. The Active Directory sync will not work.

• Fixed Issue 3240118: FirewallRule addition in FirewallSection takes longer time than expected to be realized on hosts or edge nodes.

  There will be a delay in rule realization to hosts.

• Fixed Issue 3229358: VLANs of Global Manager Segments (Segments which are attached to Default Overlay Transport Zone and doesn't have transport_zone_path property) don't get displayed in Default Overlay Transport Zone's VLAN field's helptext while editing Transport Zone.

  There will be an error from API on editing Default Overlay Transport Zone if you enter values which do not include VLAN values mentioned in the linked Global Manager Segment.

• Fixed Issue 3220511: Spoof guard profile and Switch security profile come from different MP profile messages. Updating them in different transaction causes CCP to lose the previous Spoof guard updates.

  The VM traffic is not blocked.

• Fixed Issue 3219930: VM loses connectivity to the network after vMotion.

  Network traffic will be down for the VMs that are affected by this issue.

• Fixed Issue 3219829: Baremetal edge software kernel panic.

  System does not come up.

• Fixed Issue 3215632: NSX 4.1.0 UI configures same quota limits for all projects having same prefix.

  Pre-configured quotas for Project in NSX 4.1.0 will apply to all the projects starting with same prefix.

• Fixed Issue 3213059: VDPI application coredump found.

  Brief disruption in L7 traffic processing.

• Fixed Issue 3092553: Connectivity issues to vCenter Public IP/FQDN from an allowlist source inside the SDDC.

  Unable to access the Public IP/FQDN of the SDDC vCenter from an allowlist source inside the SDDC as the route.

• Fixed Issue 3210494: After deployment of an XL Edge with 4K RX ring size, a datapath memory usage alarm might get raised.

  In the unlikely case that traffic is backed up on TX, there may be an insufficient number of buffers available for internal queuing.

• Fixed Issue 3185804: Host preparation gets stuck at 96%.

  Though all configurations are correctly pushed to the host, the transport node status never goes to success.

• Fixed Issue 3184792: IDPS engine process crashes with a mix of http and smb traffic.

  Detection/prevention functionality goes down for a short time.

• Fixed Issue 3182288: East/West multicast doesn’t work without enabling PIM on a tier-0 uplink in Active-Active.

  There is an inconsistency between Active-Active and Active-Standby requirements.

  When there is upgrade from Active-Standby to Active-Active, PIM needs to be enabled on the tier-0 uplink explicitly for East-West traffic to work.

• Fixed Issue 3167374: Orphan firewall rules due to discrepancies in handling overlapping database transactions under churn scenario.

  Unavailability of appliance (CCP) resulting in publishing failures of firewall rule.

• Fixed Issue 3165390: When a large number of FQDN Domain-IP mapping list is scrubbed, Purple Screen Of Death (PSOD) can happen on the ESXi host during vMotion.

  PSOD of ESXi host can disrupt the Distributed Firewall (DFW) rule enforcement on the traffic.

• Fixed Issue 3164468: NSX distributed firewall rules are lost after VMotion of a VM connected to DVPortgroup.

  Loss of distributed firewall configuration for some VMs in the NSX enabled cluster.

• Fixed Issue: PortDiscoveryProfileBindingMap entries are not cleaned up after deletion.

  There could be a memory exhaustion leading to java.lang.OutOfMemoryError. Proton service could be sluggish and UI may become inaccessible.

• Fixed Issue 3160287: When MON is configured, the src MAC of the packets routed/forwarded from Virtual Distributed Router (VDR) is not consistent.

  When the workload learns the gateway MAC through the SMAC, packets will not be successfully routed.

• Fixed Issue 3157430: Using node-profile in NSX Manager UI to update syslog settings triggers critical alerts (Edge Node settings mismatch) on edges.

  A false alarm is raised due to this issue.

• Fixed Issue 3152221: CCP fullsync with Corfu goes into error state after temporary disconnect and reconnect.

  Realization will fail due to this issue.

• Fixed Issue 3151615: BGP neighbor shows tier-0 interface's old IP as the source address even after changing the tier-0 external interface IP.

  Edge will unnecessarily try to connect to the BGP neighbor after changing the interface IP that is not reachable.

• Fixed Issue 3151441: After upgrading to NSX 4.1.0,  the UI is not accessible if the browser locale is set to non-English or to a locale not supported by NSX.

  The UI is not accessible if the browser locale is non-English or to a locale not supported by NSX.

• Fixed Issue 3117000: Compactor stops getting triggered leading to increased disk space.

  The NSX UI might become unresponsive.

• Fixed Issue 3114329: Intel QuickAssist Technology (QAT) is not coming up post bare metal NSX edge installation.

  Intel QuickAssist Technology (QAT) is a hardware accelerator technology designed to offload computationally intensive cryptographic and compression/decompression algorithms from the CPU to dedicated hardware. Because of this issue, Intel QAT cannot be used to improve the throughput performance of the VPN service with bare metal NSX edge.

• Fixed Issue 3110284: Unable to stretch tier-0 gateway.

  In Federation, if the span of gateway is extended by adding new location (whose ID starts with ID of already added location) then UI shows operation as successful. However, the gateway is not stretched and updated location under gateway is not visible.

• Fixed Issue 3110235: If interfaces are created on tier-0 on which multiple locations are selected, filtering does not work properly.

  Filtering in interfaces does not work.

• Fixed Issue 3110133: Bare Metal(BM) edge deployment_type is incorrectly reported as VIRTUAL_MACHINE in the response of API https://{{mp}}/api/v1/transport-node.

  Users consuming this API get incorrect information about deployment_type of Bare Metal(BM) edge.

• Fixed Issue 3109125: IDPS services crashes on one or more hosts in the cluster.

  The IDPS service automatically restarts after a crash. However, it would be unavailable briefly (a few seconds till it restarts) and the concerned traffic will not be subject to the IDPS inspection during this time.

• Fixed Issue 3108466: Upgrade pre-checks get stuck in the NSX 4.1.0 release for upgrades from NSX 3.2.x to NSX 4.1.0 and NSX 4.0.1 to NSX 4.1.0.

  Upgrade from 3.2.x to 4.1.0 and 4.0.1 to 4.1.0 might get stuck.

• Fixed Issue 3108202: User is able to delete default domain.

  User cannot add global groups and security policies.

• Fixed Issue 3106313: Emergency Edge Firewall policy/section is imported to Global Manager (GM) during Local Manager (LM) brownfield onboarding, which results in importing these rules from LM to GM. LM administrators cannot manage these rules on LM after importing them to GM.

  Local Manager administrators cannot modify or delete emergency rules from the LM after the emergency section is synced from GM to LM.

• Fixed Issue 3104775: Bare Metal(BM) edge deployment_type is incorrectly reported as VIRTUAL_MACHINE in the response of API https://{{mp}}/api/v1/transport-node.

  Users consuming this API get incorrect information about deployment_type of Bare Metal(BM) edge.

• Fixed Issue 3103168: Core dumps are observed on ESX transport node for opsAgent component.

  The "nsx-opsagent" application is getting crashed.

• Fixed Issue 3100990: Upgrade data migration from 3.2.0 or 3.2.0.1 to 4.1.0 will fail during pre-upgrade check if some tables are corrupted.

  The pre-upgrade check will fail at data migration step and block the subsequent actual upgrade.

• Fixed Issue 3100531: Regression in realization workflow for Firewall enable/disable settings due to introduction of custom project level firewall settings.

  Firewall Settings (also known as firewall enable/disable status) and Firewall Exclude List features are not correctly realized to hosts.

• Fixed Issue 3099343: Error message is not clear while updating the transport node with a non-existing transportzoneprofile.

  As error message is not clear, proper action cannot be taken while updating the transport node with a non-existing transportzoneprofile.

• Fixed Issue 3099338: In a Distributed Virtual Port Groups (DVPG) deployment, snooping-based IP discovery (ARP/ND/DHCP) remove all IPs once the storage vMotion is started. The discovered IPs will not recover until ARP/ND/DHCP packets are seen again.

  This issue occurs due to com.vmware.port.extraConfig.logicalPort.id getting cleared right after the storage vMotion is started. Discovered IPs can be consumed by Distributed Firewall and Spoofguard. Not having them might result in traffic outage and security issues. However, the issue should self recover in several minutes for ARP/ND snooping. For DHCP snooping, the issue should recover within the DHCP lease time.

• Fixed Issue 3098264: Application nsx-cfgagent crashed on ESX hosts.

  The application crashed alarm for nsx-cfgagent will be seen. The process restarts immediately and there is no disruption to datapath.

• Fixed Issue 3097029: Mixed case Domain Names are allowed to be configured in L7 profiles of FQDN rules but the DNS server will provide the domain name in lowercase and therefore the DFW FQDN rule actions are not applied correctly.

  DFW FQDN filtering does not work properly.

• Fixed Issue 3096363: Certificate list was not showing “Certificate Category”. Existing “Service Certificate”: “Yes/No” information does not identify if a certificate is a Platform Certificate or a Principal Identity Certificate.

  Existing information on the Certificate list was not helping to identify if a certificate is a Platform Certificate or a Principal Identity Certificate.

• Fixed Issue 3094718: Different pools were not initialized, including DefaultContainerMacPoolCreator, DefaultVtepLabelPoolCreator, DefaultVniPoolCreator, DefaultMacPoolCreator.

  Internal checkins were blocked.

• Fixed Issue 3094267: On the standby GM, the UI shows that an object can be edited when the backend does not allow it to be edited.

  You can edit the object in the UI but the changes are not saved.

• Fixed Issue 3093946: NSX proxy core file "nsx-proxy-zdump.xxx" is generated on Transport Node due to memory spike.

  Alarm will be generated due to the core. Workflow/Connections won't be affected post restart.

• Fixed Issue: In a security only cluster, when the cluster is deleted from vCenter, the corresponding Transport Node Collection in NSX is not deleted as it is attached to a security TransportNode Profile that is created by the system. As a result, the stale TransportNode Collection remains in the system.

  You will not be able to view the TransportNode Profiles present in the system using the NSX user interface.

• Fixed Issue 3093699: ServiceInsertion policies cannot be removed cleanly.

  You may not be able to remove Service Insertion policies after creating them.

• Fixed Issue 3097982: Host installation fails with the error  "Cannot complete login due to an incorrect user name or password" or multiple transport node UUIDs are created for a discovered node.

  In rare scenarios, it is observed that duplicate transport node UUIDs are created resulting in transport node preparation failure.

• Fixed Issue 3097815: Tier0 SR has been Standby on two Edge nodes due to incomparable healthiness if one of the services is configured as disabled or it becomes disabled.

  Tier0 SR would stay in Standby mode on two edges causing traffic not available.

• Fixed Issue 3091234: Blank display name and path fields in effective membership API response for CNS (Cloud native service) member.

  No functional impact.

• Fixed Issue 3089678: "get cluster vip" CLI is returning incorrect details of IPv6 post upgrade when VIP is switched.

  Mostly display issue. The CLI is returning the wrong information. The UI shows the correct IP for cluster VIP.

• Fixed Issue 3089410: The alarm communication.manager_fqdn_lookup_failure is not triggered when the IPv6 DNS is missing, whereas the alarm is triggered when the IPv4 DNS entry is missing.

  Reduced usability because an alarm could be triggered to warn the user of an incorrectly configured DNS server, but isn't triggered.

• Fixed Issue 3088726: When BGP is configured over VTI interface in an active-standby edge deployment, BGP is expected to be down on standby edge node, but still an active "BGP Down" alarm is generated on standby edge node.

  No functional impact. But a false "BGP Down" alarm is observed on standby edge node.

• Fixed Issue 3088183: LDAP authentication may time out intermittently. This can happen when ID Firewall is configured before LDAP authentication.

  Unable to log into NSX using LDAP credentials. Must use local account.

• Fixed Issue 3087551: After live upgrade, discovered bindings may go missing.

  Missing discovered bindings can result in DFW/Spoofguard reconfiguration, which leads to traffic outage/security issue.

• Fixed Issue 3086175: MP to Policy promotion failed when NSGroup with deleted Logical Port is attempted for promotion.

  This fails MP to Policy promotion.

• Fixed Issue 3085547: Incorrect Assigned To count in default project UI when tag is applied to Project VMs.

  The tag count is incorrectly shown on the tagging screen. This does not affect the evaluation of tag-based-groups. This should not affect the datapath.

• Fixed Issue 3085259: Post upgrade NSGroup shows "is_valid": false for static VIF members.

  No functional impact.

• Fixed Issue 3084933: Kubernetes tools upload fails on NSX during NSX Application Platform (NAPP) deployment.

  You will be unable to deploy NAPP if Kubernetes tools version is not in sync on NSX managers.

• Fixed Issue 3083334: "Static routing removed" alarm is seen in syslog file on every configuration push if static route is configured.

  Repeated alarms are seen in syslog.

• Fixed Issue 3081451: Old and new Segments (with different Transport Zones) all show up as part of "Project Default Transport Zone."

  Misleading, but no functional impact.

• Fixed Issue 3080991: When trying to resolve Mismatch alarm on Edge Transport Node config Uniform PassThrough (UPT) with Appliance value, the Edge configuration at Manager is not reconciled with UPT mode.

  Upgrade impact, since alarms must be resolved before upgrade.

• Fixed Issue 3076743: Migration is blocked if DLR/UDLR edge appliance is not deployed.

  Migration is blocked if DLR/UDLR edge appliance is not deployed.

• Fixed Issue 3075122: For Linux distros, new files downloaded via browsers are not analyzed by Malware Prevention.

  Files are not scanned or analyzed. No malware detection or prevention occurs.

• Fixed Issue 3074887: Edge cluster create fails since Transport Node internal flow causes config state flap between SUCCESS and IN_PROGRESS.

  Edge cluster create fails with error_code: 15020.

• Fixed Issue 3073723: SNAT port exhaustion alarm keeps coming up on the NSX Manager when there is no problem with SNAT ports exhaustion.

  No functional impact.

• Fixed Issue 3072849: PSOD During vMotion of VMs when FQDN is configured.

  ESXi host will reboot.

• Fixed Issue 3065709: Stub creation failed for around 27 seconds, failing the script copy.

  Post Check error.

• Fixed Issue 3051316: After modifying the port mirror destination from the UI, it may take 5 minutes to see that it's updated.

  You must wait several minutes to observe the new value.

• Fixed Issue 3046093: NSX Malware Prevention reinstall progress is not shown on the dashboard UI.

  Status will be up again after install/uninstall is completed. Temporarily UI cards will show status as not deployed.

• Fixed Issue 3045488: Disk IO error causes the batchProcessor thread to stop.

  Unable to use NSX.

• Fixed Issue 3045225: Redundant transport zone shown in UI, not API.

  No functional impact.

• Fixed Issue 3037150: For Groups with AD, Association API was not working.

  Association API not working.

• Fixed Issue 3027359: File type name is truncated to 12 characters resulting in inconsistency in display of file details on UI.

  No functional impact.

• Fixed Issue 2996248: When BGP and BFD are enabled over VTI, the BFD status is not updated in the BGP neighbor summary.

  The CLI will show status as unknown (DC). Functionality is not impacted.

• Fixed Issue 2974267: When the TCP Server reuses the port from TCP TIME_WAIT state flows, and when the client starts a new TCP session with Window Scaling Option, the packets from the server are dropped when they are bigger than a certain size.

  The packets from the server are dropped when they are bigger than a certain size.

• Fixed Issue 2946990: Slow memory leak in auth server (/etc/init.d/proxy) for local user authentication.

  APIs start slowing down.

• Fixed Issue 3259119: Unable to enable HCX Mobility Optimized Networking (MON).

  The logical port update is failing with a "An existing transaction is still in progress" error during a validation pre-updating the LogicalPort.

• Fixed Issue 3046183 and 3047028: After activating or deactivating one of the NSX features hosted on the NSX Application Platform, the deployment status of the other hosted NSX features changes to In Progress. The affected NSX features are NSX Network Detection and Response, NSX Malware Prevention, and NSX Intelligence.

  After deploying the NSX Application Platform, activating or deactivating the NSX Network Detection and Response feature causes the deployment statuses of the NSX Malware Prevention feature and NSX Intelligence feature to change to In Progress. Similarly, activating and deactivating the NSX Malware Prevention feature causes the deployment status of the NSX Network Detection and Response feature to In Progress. If NSX Intelligence is activated and you activate NSX Malware Prevention, the status for the NSX Intelligence feature changes to Down and Partially up.

• Fixed Issue 3108693: Project admin will not be able to configure the dns-forwarder feature from the UI.

  If you are logged in as a ‘project-admin’ then T1s under project-scope are not listed in the drop-down menu on the dns-forwarder page. As a result, project-admin is not able to configure the dns-forwarder feature from UI.

• Fixed Issue 3043600: The NSX Application Platform deployment fails when you use a private (non-default) Harbor repository with a self-signed certificate from a lesser-known Certificate Authority (CA).

  If you attempt to deploy the NSX Application Platform using a private (non-default) Harbor repository with a self-signed certificate from a lesser-known CA, the deployment fails because the deployment job is unable to obtain the NSX Application Platform Helm charts and Docker images. Because the NSX Application Platform did not get deployed successfully, you cannot activate any of the NSX features, such as NSX Intelligence, that the platform hosts.

• Fixed Issue 2949575: After one Kubernetes worker node is removed from the cluster without draining the pods on it first, the pods will be stuck in terminating status forever.

  NSX Application platform and applications on it might function partially or not function as expected.

• Fixed Issue 3047727: CCP did not publish updated RouteMapMsg.

  Routes not intended to be published are published.

• Fixed Issue 3106317: When a VNIC MAC Address is changed in the guest, the changes may not be reflected in the filters programmed to the PNIC.

  Potential Performance degradation.

• Fixed Issue 3083358: Controller taking long time to join the cluster on controller reboot.

  After controller reboot, the new configurations created on NSX Manager might face realization delay as the controller may take time to start.

• Fixed Issue 3106950: After reaching the DFW quota, the creation of a new VPC under the project scope fails.

  You cannot create a VPC under the project where the DFW quota has been reached.

• Fixed Issue 3114329: Intel QAT is not coming up post Bare Metal NSX Edge installation.

  Intel QuickAssist Technology (QAT) is a hardware accelerator technology designed to offload computationally intensive cryptographic and compression/decompression algorithms from the CPU to dedicated hardware. Because of this issue, you cannot use Intel QAT to improve the throughput performance of the VPN service with Bare Metal NSX Edge.

• Fixed Issue 3098639: Upgrade of NSX Manager fails due to reverse-proxy/auth service's failure to enter maintenance mode during upgrade.

  Upgrade failure of NSX Manager.

• Fixed Issue 3121377: Purple Screen Of Death (PSOD) on ESX.

  Traffic impacted due to transport node going down.

• Fixed Issue 3113067: Unable to connect to NSX-T Manager after vMotion.

  When upgrading NSX from a version lower than NSX 3.2.1, NSX manager VMs are not automatically added to the firewall exclusion list. As a result, all DFW rules are applied to manager VMs, which can cause network connectivity problems.

  This issue does not occur in fresh deployments from NSX 3.2.2 or later versions. However, if you are upgrading from NSX 3.2.1 or earlier versions to any target version up to and including NSX 4.1.0 this issue may be encountered.

• Fixed Issue 3113073: DFW rules are not getting enforced for some time after enabling lockdown mode.

  Enabling lockdown mode on a transport node can cause a delay in the enforcement of DFW rules. This is because when lockdown mode is enabled on a transport node, the associated VM may be removed from the NSX inventory and then recreated. During this time gap, DFW rules may not be enforced on the VMs associated with that ESXi host.

• Fixed Issue 3113076: Core dumps not generated for FRR daemon crashes.

  In the event of FRR daemon crashes, core dumps are not generated by the system in the /var/dump directory. This can cause BGP to flap.

• Fixed Issue 3113085: DFW rules are not applied to VM upon vMotion.

  When a VM protected by DFW is vMotioned from one host to another in a Security-Only Install deployment, the DFW rules may not be enforced on the ESX host, resulting in incorrect rule classification.

• Fixed Issue 3113093: Newly added hosts are not configured for security.

  After the installation of security, when a new host is added to a cluster and connected to the Distributed Virtual Switch, it does not automatically trigger the installation of NSX on that host.

• Fixed Issue 3113100: IP address is not realized for some VMs in the Dynamic security groups due to stale VIF entry.

  If a cluster has been initially set up for Networking and Security using Quick Start, uninstalled, and then reinstalled solely for Security purposes, DFW rules may not function as intended. This is because the auto-TZ that was generated for Networking and Security is still present and needs to be removed in order for the DFW rules to work properly.

• Fixed Issue 3118868: Incorrect or stale vNIC filters programmed on pNIC when overlay filters are programmed around the same time as a pNIC is enabled.

  vNIC filters programmed on pNIC may be stale, incorrect, or missing when overlay filters are programmed around the same time as a pNIC is enabled, resulting in a possible performance regression.

• Fixed Issue 3152195: DFW rules with Context Profiles with FQDN of type .*XYZ.com fail to be enforced.

  DFW rule enforcement does not work as expected in this specific scenario.

• Fixed Issue 3116294: Rule with nested group does not work as expected on hosts.

  Traffic not allowed or skipped correctly.

• Fixed Issue 3155845: PSOD during vMotion when FQDN filtering is configured.

  ESXi host will reboot.

• Fixed Issue 3163020: When the FQDN in DNS packets differs in text case with the Domain Names configured in L7 profiles of FQDN rules, the DFW FQDN rule actions are not applied correctly.

  DFW FQDN rule actions are not applied correctly. DFW FQDN filtering does not work properly.

• Fixed Issue 3186573: CorfuDB Data loss.

  Sudden loss of some configurations. Unable to create/update some configurations.

• Fixed Issue 2491800: Async Replicator channel port-certificate attributes are not periodically checked for expiry or revocation.

  This could lead to using an expired/revoked certificate for an existing connection.

• Fixed Issue 2877776: "get controllers" output may show stale information about controllers that are not the master when compared to the controller-info.xml file.

  This CLI output is confusing.

• Fixed Issue 2889482: The wrong save confirmation is shown when updating segment profiles for discovered ports.

  The Policy UI allows editing of discovered ports but does not send the updated binding map for port update requests when segment profiles are updated. A false positive message is displayed after clicking Save. Segments appear to be updated for discovered ports, but they are not.

• Fixed Issue 3017840: An Edge switch over doesn't happen when uplink IP address is changed.

  Wrong HA state might result in blackholing of traffic.

Known Issues

• Issue 3340718: PSOD (purple screen of death) may occur during NSX for vSphere to NSX-T migration under heavy traffic load.

  Migration from NSX for vSphere is failing with PSOD error and cannot proceed further.

  Workaround: To prevent a PSOD from occurring perform one of the following: 1) Disable DFW, migrate all VMs, then re-enable DFW. or 2) Migrate from NSX for vSphere to NSX-T version 3.2.3.1 or 4.1.0.2 and once the VM migration is complete, upgrade to 4.1.1 or later releases.

• Issue 3222376: The NSX "Check Status" functionality in the LDAP configuration UI reports a failure when connecting to Windows Server 2012/Active Directory. This is because Windows 2012 only supports weaker TLS cipher suites that are no longer supported by NSX for security reasons.

  Even though an error message displays, LDAP authentication over SSL works because the set of cipher suites used by the LDAP authentication code is different than the set used by the "Check Status" link.

  Workaround: See knowledge base article 92869 for details.

• Issue 3296976: Gateway Firewall may allow usage of unsupported Layer 7 App IDs as part of Context/L7 Access Profiles.

  Please refer to the following page, which lists which App IDs are supported per NSX release - https://docs.vmware.com/en/NSX-Application-IDs/index.html.

  Workaround: None

• Issue 3167100: Tunnels new configuration take several minutes to be observed from UI.

  It takes several minutes to observe the new tunnels information after configuring the host node.

  Workaround: None.

• Issue 3089238: Unable to register vCenter on NSX manager after the NSX-T extension is removed from vCenter on an NSXe setup.

  Unable to register vCenter on NSX manager after removing the extension from vCenter. This disrupts communication between vCenter and NSX the manager.

  Workaround: See knowledge base article 90847.

• Issue 3082587: Communication between SHA and metrics MUX would fail in checking the host name.

  The metrics transmission fails from SHA to metrics MUX.

  Workaround: See KB article 93896 for details.

• Issue 3211228: At present, even if the proxy is configured it is not used while connecting to the VMware download site to fetch the upgrade bundles. This results in failure in case of airgap scenarios.

  Setups that have airgap scenarios will not be able to run the upload upgrade bundle API since they need the proxy to reach the download site.

  Workaround: None.

• Issue 3245183: The "join CSM command" adds CSM to MP cluster, but does not add the Manager account on CSM.

  It will not be possible to continue with any other CSM work unless the Manager account is added on CSM.

  Workaround:

  1. Run the join command without including CSM login credentials.

     Example:

     join <manager-IP> cluster-id <MP-cluster-ID> username <MP-username> password <MP-password> thumbprint <MP-thumbprint>

  2. Add NSX Manager details in CSM through UI.

     a. Go to System -> Settings.

     b. Click Configure on the Associated NSX Node tile.

     c. Provide NSX Manager details (username, password, and thumbprint).

• Issue 3234358: The child port realization is not succeeding because it's being invoked prior to the parent port invocation.

  The child port is getting realized after five minutes from the parent port realization.

  Workaround: None

• Issue 3214034: Internal T0-T1 transit subnet prefix change after tier-0 creation is not supported by ESX datapath from Day 1.

  In cases where tier-1 router is created without SR, traffic loss can happen if the transient subnet IP prefix is changed.

  Workaround: Instead of changing the transient subnet IP prefix, delete and add Logical Router Port with a new transient subnet IP.

• Issue 3248603: NSX Manager File system is corrupted or goes into read only mode.

  In the /var/log/syslog, you may see log messages similar to the log lines below.

  2023-06-30T01:34:55.506234+00:00 nos-wld-nsxtmn02.vcf.netone.local kernel - - - [6869346.074509] sd 2:0:1:0: [sdb] tag#1 CDB: Write(10) 2a 00 04 af de e0 00 02 78 00

  2023-06-30T01:34:55.506238+00:00 nos-wld-nsxtmn02.vcf.netone.local kernel - - - [6869346.074512] print_req_error: 1 callbacks suppressed

  2023-06-30T01:34:55.506240+00:00 nos-wld-nsxtmn02.vcf.netone.local kernel - - - [6869346.074516] print_req_error: I/O error, dev sdb, sector 78634720

  2023-06-30T01:34:55.513497+00:00 nos-wld-nsxtmn02.vcf.netone.local kernel - - - [6869346.075123] EXT4-fs warning: 3 callbacks suppressed

  2023-06-30T01:34:55.513521+00:00 nos-wld-nsxtmn02.vcf.netone.local kernel - - - [6869346.075127] EXT4-fs warning (device dm-8): ext4_end_bio:323: I/O error 10 writing to inode 4194321 (offset 85286912 size 872448 starting block 9828828)

  Appliance may not work as normal.

  Workaround: See knowledge base article 93856 for details.

• Issue 3250489: Certificate does not get restored properly.

  Some GM functionality that requires API calls to the LM will not work.

  Workaround:

  1. Get the thumbprint of the fresh certificate.

  2. On the GM edit the connections settings of the LM and replace the thumbprint with the one for the fresh certificate.

• Issue 3245216: In a federated setup, cross-site UI stops working intermittently.

  The browser needs to be occasionally refreshed.

  Workaround: Refresh the browser.

• Issue 3233914: NSX reverse-proxy (due to bug in boringssl) fails to load a certificate if its length is multiple of 253. The certificate is of service_type CLIENT_AUTH.

  NSX reverse-proxy (envoy) fails to start after a restart (including upgrade). This will cause API and UI to be inaccessible.

  Workaround: Log in to NSX unified appliance and delete the certificate using command:

  curl -H "x-nsx-username: admin" -X DELETE http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<cert-id>

  Where cert-id is the ID of certificate of service_type client_auth and having length multiple of 253. (The length of certificate is counted for string pem_encoded of API /api/v1/trust-management/certificates and excluding "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".) Make sure the certificate to be deleted is of service_type CLIENT_AUTH.

• Issue 3145013: NCP pod deletion fails because of stale LogicalPorts on NSX.

  NCP pod deletion could become stuck.

  Workaround: Manually clean up the stale LogicalPorts on the underlying LogicalSwitch.

• Issue 3245645: The Datapath CPU usage graph on the UI does not reflect the correct values.

  The Time series database values on the graph are not correct. This may impact diagnosis of high CPU usage over a period of time.

  Workaround: You can use the instantaneous Datapath CPU stats shown on the left side of the graph.

• Issue 3221820: User is allowed to edit the TZP ID when updating the transport node via API.

  The user will not be able to make subsequent updates to the transport node.

  Workaround: Contact VMware support.

• Issue 3245222: NSX Manager upgrade dry run tool fails at InternalLogicalPortMigrationTask.

  NSX Manager upgrade is blocked.

  Workaround: Manually clean up the stale Port Profile Binding Maps and retry the upgrade dry run.

• Issue 3249446: Service Insertion North South Active/Standby (HA) deployments triggers alarms even if deployment is successful.

  Users are encouraged to remove deployments (although not required). Users delete deployments for no reason.

  Workaround: Ignore the alarm if the deployment is successful.

• Issue 3069003: Excessive LDAP operations on customer LDAP directory service when using nested LDAP groups.

  High load on LDAP directory service in cases where nested LDAP groups are used.

  Workaround: For vROPS prior to 8.6, use the "admin" local user instead of an LDAP user.

• Issue 3014499: Powering off Edge handling cross-site traffic causes disruption some flows.

  Some cross-site traffic stopped working.

  Workaround: Power on the powered-off edge.

• Issue 3010038: On a two-port LAG that serves Edge Uniform Passthrough (UPT) VMs, if the physical connection to one of the LAG ports is disconnected, the uplink will be down, but Virtual Functions (VFs) used by those UPT VMs will continue to be up and running as they get connectivity through the other LAG interface.

  No impact.

  Workaround: None.

• Issue 2490064: Attempting to disable VMware Identity Manager with "External LB" toggled on does not work.

  After enabling VMware Identity Manager integration on NSX with "External LB", if you attempt to then disable integration by switching "External LB" off, after about a minute, the initial configuration will reappear and overwrite local changes.

  Workaround: When attempting to disable vIDM, do not toggle the External LB flag off; only toggle off vIDM Integration. This will cause that config to be saved to the database and synced to the other nodes.

• Issue 2558576: Global Manager and Local Manager versions of a global profile definition can differ and might have an unknown behavior on Local Manager.

  Global DNS, session, or flood profiles created on Global Manager cannot be applied to a local group from UI, but can be applied from API. Hence, an API user can accidentally create profile binding maps and modify global entity on Local Manager.

  Workaround: Use the UI to configure system.

• Issue 2838613: For ESX version less than 7.0.3, NSX security functionality not enabled on VDS upgraded from version 6.5 to a higher version after security installation on the cluster.

  NSX security features are not enabled on the VMs connected to VDS upgraded from 6.5 to a higher version (6.6+) where NSX Security on vSphere DVPortgroups feature is supported.

  Workaround: After VDS is upgraded, reboot the host and power on the VMs to enable security on the VMs.

• Issue 2871440: Workloads secured with NSX Security on vSphere dvPortGroups lose their security settings when they are vMotioned to a host connected to an NSX Manager that is down.

  For clusters installed with the NSX Security on vSphere dvPortGroups feature, VMs that are vMotioned to hosts connected to a downed NSX Manager do not have their DFW and security rules enforced. These security settings are re-enforced when connectivity to NSX Manager is re-established.

  Workaround: Avoid vMotion to affected hosts when NSX Manager is down. If other NSX Manager nodes are functioning, vMotion the VM to another host that is connected to a healthy NSX Manager.

• Issue 2871585: Removal of host from DVS and DVS deletion is allowed for DVS versions less than 7.0.3 after NSX Security on vSphere DVPortgroups feature is enabled on the clusters using the DVS.

  You may have to resolve any issues in transport node or cluster configuration that arise from a host being removed from DVS or DVS deletion.

  Workaround: None.