VMware NSX 4.1.1 | 15 August 2023 | Build 22224312 Check for additions and updates to these release notes. |
VMware NSX 4.1.1 | 15 August 2023 | Build 22224312 Check for additions and updates to these release notes. |
NSX 4.1.1 provides a variety of new features to offer new functionalities for virtualized networking and security for private, public, and multi-clouds. Highlights include new features and enhancements in the following focus areas:
Cloud Consumption Model with NSX VPCs: New NSX VPC allows self service consumption for networking, security and services through on-demand isolated environment aligned to Cloud standard consumption. It offers a second level of tenancy below Project, with a streamlined UI and API to allow teams to easily deploy networking and security in the Cloud environment.
Multi-tenant Distributed IDS/IPS: Distributed IDS/IPS now offers multi-tenant consumption with the ability to configure it under Projects. It allows multiple users to apply IDS/IPS rules to their own VMs without risks of overlap.
IPv6 TEP (tunnel end point) support for Transport Nodes: This release introduces support for IPv6 TEP (tunnel end point) with Geneve encapsulation for Transport Nodes (Edge Nodes and ESXi hosts). With this feature, users can create overlay Transport Zones using IPv6 as the underlay transport protocol.
In addition to those, many other capabilities are added in every area on the product. More details are available below in the detailed description of added features.
Layer 2 Networking
Filter VLAN on VLAN Transport Zone: It is now possible to define a list of VLANs authorized for a given VLAN-based transport zone, which prevents NSX tenants from using some VLANs already used for general connectivity in the datacenter.
ESX Observability Enhancements: NSX API now offers statistics for ESX overlay, ESX distributed routing and switch security (IP discovery and spoof guard) modules which were only available through the CLI in previous releases. This gives more options to monitoring the NSX modules running on ESX.
Enhanced Data Path (EDP) now supports the following improvements:
Support of double overlay encapsulation traffic coming from VMs and containers to a host switch, offering better performances to Antrea deployments.
Support of MAC and VLAN filtering, which allows a physical NIC driver to program (MAC, VLAN) pair to physical NIC Rx queue.
Optimization of flow cache for Geneve overlay traffic reducing the impact of large numbers of flows on forwarding performance.
Layer 3 Networking
IPv6 TEP (tunnel end point) support for Transport Nodes: This release introduces support for IPv6 TEP (tunnel end point) with Geneve encapsulation for Transport Nodes (Edge Nodes and ESXi hosts). With this feature, you can create overlay Transport Zones using IPv6 as the underlay transport protocol.
DPU-based Acceleration
NVIDIA BlueField-2 (100Gbps) is supported.
Edge Platform
Bare Metal Edge supports Intel 810: expands the list of supported NICs with 25Gbps/100Gbps Intel NIC.
Disabled Flow Cache Alarm on Edge Node: With VMware NSX 4.1.1, if the flow cache is disabled on Edge Transport Node, NSX triggers an alarm. This ensures Edge Transport Nodes can deliver the best performances.
Packet drop alarm: The alarm shows more specific information about packet drops, providing more granular information.
Maximum supported cores for Bare Metal Edge: With VMware NSX 4.1.1, the Bare Metal Edge node can have up to 80 cores that will maximize the performance of the Edge node.
Physical Server
Added support of Windows 2012R2 OS for the Physical server transport node.
Network Detection and Response (NDR)
Support for Australia region: A new cloud region (Australia) is now available for the NDR and Malware Prevention features. Choosing this region during feature activation ensures that data from customers in this region is processed locally, and addresses data residency concerns. This feature is applicable to all releases post NSX-T 3.2.
Container Networking and Security
Scale Improvements for TKGi: NSX 4.1.1 brings scale parity for TKGi customers shifting from Manager Mode APIs to the declarative Policy APIs.
Support for more than 1000 OpenShift routes with NCP 4.1.1.
Installation and Upgrade
Run NSX pre-upgrade checks at any time and independent of the upgrade process. Check upgrade readiness and fix any underlying issues ahead of time, and use your maintenance window for actual upgrades. Benefit from latest pre-checks added dynamically by NSX.
NOTE: While this capability allows you to run pre-checks in advance, they do need to be mandatorily run again before starting an NSX upgrade. This is to ensure an accurate and latest assessment of your deployment right before upgrade.
NSX Federation now supports the same upgrade interoperability of N+2 (N = minor version number in product series) as NSX on-premises.
Reduced downtime in rolling upgrade of NSX Manager cluster.
Revamped NSX Upgrade UI for better performance. Additional user experience enhancements in the NSX upgrade process.
Search <uuid> command is added to help to search the resource details using UUID to identify IP Address, Host Name, Display Name and Resource Type.
The NSX Manager UI now displays a banner when the NSX Manager is deployed by VMware Cloud Foundation. The NSX Upgrade splash page also reminds you to upgrade NSX from SDDC Manager when NSX is deployed by VMware Cloud Foundation.
Operations and Monitoring
LTA support on ESXi ENS Fastpath
Counter actions is introduced in this release and available on API, which enables users to trace the ENS fastpath and slow path traffic on the port.
Status metrics in string format can now be persisted in NAPP as Time-Series metrics, for example: cluster status metric shows the health of the NSX Manager cluster, and has values in string format i.e., stable/unstable/degraded, which can now be persisted in NAPP. This will allow you to monitor the status metrics which are strings over a period of time with historical context.
Online Diagnostic System
Thirteen new runbooks are added in this release to help with troubleshooting across Edge, Host and NSX Manager. See the Administration Guide for more information.
NSX CLI Enhancements
More than one filter can be applied on the CLI commands to filter the data, which is helpful to filter the large output.
New modifiers sed, awk, uniq are supported to filter and format the CLI output.
From the central CLI, users can now execute the commands on remote CLI using IP Address, Host Name and Display name. This provides flexibility to execute CLI commands on remote nodes using any of these identifiers.
The search <input-str> CLI command is added. This command can be used to get information such as the IP address, display name, resource type for any <input-str>. Along with the search string, resource-type parameter can be added to filter the resource type.
Transport Node APIs are updated to provide various details to aid in monitoring.
Transport Node Status API
MP connection status can be retrieved real time using source=realtime field in the API call.
For CCP connection, the status description field is added. This describes the reason for the disconnection and last status changed time field shows when the status was updated.
For pnic status, details of pnics that are down and last status change are added.
For cfgagent and opsagent, component and last status change fields are added.
Aggregated status now has status description, which shows the reason why aggregated status is not up and last aggsvc heartbeat, last status changed time added shows when the mp connection was active and status was updated.
PNIC bond Status API
Pnic bond details and type field reflecting whether it's used for NSX or non-NSX are added.
VPN
Deterministic core allocation for IPsec VPN: With NSX 4.1.1 you can enable the allocation of more cores for VPN Services.
Platform Security
Local User Account Management: Adds an NSX API for listing local user accounts on NSX appliances (NSX Manager, NSX Edge, NSX Application Platform, NSX Cloud Service Manager).
Scale
With the release of NSX 4.1.1 there will be several updates to the maximum scale supported by NSX. Please see the VMware Configuration Maximums tool for each update.
NSX for vSphere to NSX-T Migration
Configuration and Edge Migration Mode available for cross-vCenter to Federation Migration - This mode, which allows migrating configuration and edge plus, establishes a performance optimized distributed bridge between the NSX-V source environment and the NSX destination environment is made available on the global manager.
Ability to generate Migration report - Migration Coordinator now offers the ability to generate a migration report describing security configuration migrated from NSX for vSphere to NSX, and in particular security tags applied to VMs.
Multi Tenancy
Introduction of NSX VPCs - Ability to create within a Project new NSX VPC constructs, which provide self service through Cloud Consumption. NSX VPCs offer a rich feature set:
Specific IP Blocks used to advertise IP (External IP Blocks) or internally in the VPC (Private IP Blocks)
Apply Quota to restrict consumption of a given NSX VPC
Ability to share objects
Delegate Access to specific users for consumption
Define default outside connectivity for internal VMs
Consumption of the NSX VPC - A user assigned to a VPC, also called VPC admin, will be able to configure networking with:
Define Subnets and through their nature (Public, Private and Isolated) their behavior:
Public Subnets: Routed subnet advertised outside of the VPCs.
Private Subnets: Routed subnets internal to the VPCs.
Isolated Subnets: Subnet not routed, used for internal communication.
Benefit from VPC IPAM and DHCP to manage network creation and IP assignments. With NSX VPC it's possible to just define how many IPs are needed and let the system configure the system.
Define Services such as NAT to provide external access to private subnets virtual machine or expose a specific VM as a floating IP.
(Note: In this release specific port translation is not supported.)
Apply Security with the ability to:
Define dynamic and static Grouping to VPC VMs
Apply East-West rules to VMs connected to NSX VPC subnets through distributed firewall
Apply North-South rules defining access to and from the NSX VPC
Project Enhancement - Multiple enhancement were brought to Project introduced in 4.1.1, including these major enhancemenets:
Distributed IDS/IPS Support - Project Administrator is now able to configure Distributed IDS/IPS rules in the Project, monitor its own threat events and apply rules specifically to workloads connected to Project networks.
Project route filtering (API only) - It is not possible to restrict the routes advertised outside of a given Project (from all Tier-1s and all NSX VPCs of the Project) at the Tier-0 (or Tier-0 VRF) level. This allows setups where multiple Projects would share the same Tier-0, and need to segment the available IP space.
Deprecation announcement for NSX Load Balancer
VMware intends to deprecate the built-in NSX load balancer and recommends customers migrate to NSX Advanced Load Balancer (Avi) as soon as practical. VMware NSX Advanced Load Balancer (Avi) provides a superset of the NSX load balancing functionality and VMware recommends that you purchase VMware NSX Advanced Load Balancer (Avi) Enterprise to unlock enterprise grade load balancing, GSLB, advanced analytics, container ingress, application security and WAF.
We are giving advanced notice now to allow existing customers who use the built-in NSX load balancer time to migrate to NSX Advanced Load Balancer (Avi). Support for the built-in NSX load balancer for customers using NSX-T Data Center 3.x will remain for the duration of the NSX-T Data Center 3.x release series. Support for the built-in NSX load balancer for customers using NSX 4.x will remain for the duration of the NSX 4.x release series. Details for both are described in the VMware Product Lifecycle Matrix. We do not intend to provide support for the built-in NSX load balancer beyond the last NSX 4.x release.
More information:
Deprecation announcement for NSX Manager APIs and NSX Advanced UIs
NSX has two methods of configuring logical networking and security: Manager mode and Policy mode. The Manager API contains URIs that begin with /api, and the Policy API contains URIs that begin with /policy/api.
Please be aware that VMware intends to remove support of the NSX Manager APIs and NSX Advanced UIs in an upcoming NSX major or minor release, which will be generally available no sooner than one year from the date of the original announcement made on 12/16/2021. NSX Manager APIs that are planned to be removed are marked with "deprecated" in the NSX Data Center API Guide, with guidance on replacement APIs.
It is recommended that new deployments of NSX take advantage of the NSX Policy APIs and NSX Policy UIs. For deployments currently leveraging NSX Manager APIs and NSX Advanced UIs, please refer to the NSX Manager for the Manager to Policy Objects Promotion page and NSX Data Center API Guide to aid in the transition
Deprecated API |
Replacement API |
---|---|
DELETE /policy/api/v1/aaa/registration-token/{token} (Deprecated) |
POST /api/v1/aaa/registration-token/delete |
GET /api/v1/cluster/{cluster-node-id}/node/intelligence/form-factors (Deprecated) |
GET /api/v1/node/services/manager |
GET /api/v1/cluster/{cluster-node-id}/node/services/policy (Deprecated) |
GET /api/v1/node/services/manager |
GET /api/v1/cluster/{cluster-node-id}/node/services/policy/status (Deprecated) |
GET /api/v1/node/services/manager/status |
GET /api/v1/cluster/{cluster-node-id}/node/upgrade (Deprecated) |
None |
GET /policy/api/v1/aaa/registration-token/{token} (Deprecated) |
POST /api/v1/aaa/registration-token/retrieve |
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/global-config (Deprecated) |
Use /infra/connectivity-global-config for Connectivity global config and /infra/ops-global-config for Operations global config. |
POST /api/v1/cluster/{cluster-node-id}/node/services/http?action=apply_certificate (Deprecated) |
POST /api/v1/trust-management/certificates/?action=apply_certificate&service_type=API&node_id= |
POST /api/v1/cluster/{cluster-node-id}/node/services/policy?action=reset-manager-logging-levels (Deprecated) |
POST /api/v1/node/services/manager?action=reset-manager-logging-levels |
POST /api/v1/cluster/{cluster-node-id}/node/services/policy?action=restart (Deprecated) |
POST /api/v1/node/services/manager?action=restart |
POST /api/v1/cluster/{cluster-node-id}/node/services/policy?action=start (Deprecated) |
POST /api/v1/node/services/manager?action=restart |
POST /api/v1/cluster/{cluster-node-id}/node/services/policy?action=stop (Deprecated) |
POST /api/v1/node/services/manager?action=restart |
POST /policy/api/v1/batch (Deprecated) |
Support for batched operations will be removed from a future NSX release. For policy APIs, use the hierarchical API to submit a set of updates as a single operation. For other APIs, submit the operations as individual REST API calls. |
PUT /api/v1/cluster/{cluster-node-id}/node/services/policy (Deprecated) |
PUT /api/v1/node/services/manager |
For compatibility and system requirements information, see the VMware Product Interoperability Matrices and the NSX Installation Guide.
For instructions about upgrading NSX components, see the NSX Upgrade Guide.
This release provides a variety of new features. It is recommended that customers who require these features or want to deploy a version of NSX that is compatible with vSphere 8 upgrade to this release. Customers can also continue to use the NSX 3.2.x release, which will be supported with maintenance releases until the EOGS date for the NSX 3.x major release series. See the VMware Product Lifecycle Matrix for more information on our support policy.
This release is not supported for NSX Cloud customers deployed with AWS/Azure workloads. Please do not upgrade your environment in this scenario.
Note: Customers upgrading to NSX 3.2.1 or below are recommended to run the NSX Upgrade Evaluation Tool before starting the upgrade process. The tool is designed to ensure success by checking the health and readiness of your NSX Manager repository prior to upgrading. For customers upgrading to NSX 3.2.2 or higher, the tool is already integrated into the Upgrade workflow as part of the upgrade pre-checks; no separate action is needed.
NSX has been localized into multiple languages: English, German, French, Japanese, Simplified Chinese, Korean, Traditional Chinese, Italian, and Spanish. Because NSX localization utilizes the browser language settings, ensure that your settings match the desired language.
Revision Date |
Edition |
Changes |
---|---|---|
August 15, 2023 |
1 |
Initial Edition |
August 22, 2023 |
2 |
Added known issue 3167100. |
October 9, 2023 |
3 |
Updated the "Upgrade Notes for This Release" section. |
October 27, 2023 |
4 |
Added issues 3279659, 3282595, 3098356, and 3240118. |
November 1, 2023 |
5 |
Moved issue 3163020 to Resolved Issues. |
December 13, 2023 |
6 |
Added known issue 3296976. |
January 12, 2024 |
7 |
Added known issue 3222376. |
January 22, 2024 |
8 |
Moved issue 3248603 to Known Issues. |
March 7, 2024 |
9 |
Added resolved issue 3308657. |
March 21, 2024 |
10 |
Added resolved issue 3157441. |
March 26, 2024 |
11 |
Added known issue 3340718. |
July 15, 2024 |
12 |
Added resolved issue 3180650. |
Fixed Issue 3180650: In medium edge, malloc heap exhaustion alarm is triggered in a new deployment.
Alarm is observed in the manager UI, but there is no functional impact.
Fixed Issue 3157441: Traffic bursts may cause TX drops in VM edge datapath.
Packets are dropped when edge datapath attempts to transmit them.
Fixed Issue 3308657: When creating firewall sections with very large number of rules, the create/delete rule API response is taking more than 30 minutes.
This slowness causes 409/500 errors or slowness in API executions for PODS to come up.
Fixed Issue 3240118: FirewallRule addition in FirewallSection takes longer time than expected to be realized on hosts or edge nodes.
There will be a delay in rule realization to hosts.
Fixed Issue 3098356: New tier-0 interface not created on edge node.
New updates on tier-0 gateway will not get realized on edge node. For example, creation of new external interface.
Fixed Issue 3279659: Not able to access GMs (Active/Standby) after NSX managers were upgraded to 4.0.x from 3.2.x in a Federation environment and one of the LM in that Federation environment is on 3.2.x.
In a Federation environment, users will not be able to access GMs (Active/Standby) after NSX managers were upgraded to 4.0.x from 3.2.x.
Fixed Issue 3282595: “nsx-cbm” user does not have write permissions for private keystore files -> /config/cluster-manager/<service_name>/private.
After upgrade to 4.1.1, permissions on private keystore files should get modified upon CBM restart but CBM init script did not update the permissions. If you replace (apply new cert) any CBM_* certificate, then the replacement operation will not finish due to the file permissions issue. If new CBM_MP cert was applied and cert replacement fails, then proton will not come up after restart as it will not be able to connect to Corfu due to SSL cert errors. Because of this issue, UI might become inaccessible with the manager IP when proton on that manager does not come up.
Fixed Issue 3106689: VLAN Traceflow cannot automatically detect and replace the gateway MAC to destination MAC when the source and destination are in a different VLAN segment.
You will see the exception, "Logical port does not support L3 logical routing and requires manually specifying L2 destination MAC of gateway."
Fixed Issue 3100367: The alarm, "The service nsx-opsagent has been unresponsive for 10 seconds" appears intermittently.
No functional impact.
Fixed Issue 3097907: Opsagent core dump when DVS lib runs into invalid pointer problem.
The core dump can interrupt the ongoing processes in opsagent, such as transport node installation, but the core dump can be recovered automatically.
Fixed Issue 3053340: Unable to delete NAPP (NSX Application Platform) from NSX.
Unable to delete NAPP when Helm repo is inaccessible. Helm repo access is required for all NAPP operations.
Fixed Issue 3053507: Logging long messages causes "Message too long" exception when sent to socket().
Logging exceptions will cause the migration operation to fail. This can be at any stage of the migration.
Fixed Issue 3076708: Segment ports not created for VMs connected to one of the security enabled clusters when the connection between vCenter and NSX Manager is down.
When connection between vCenter and NSX Manager is down and when the customer creates a Distributed Virtual Portgroup and attaches a VM to that Distributed Virtual Portgroup, the logical port creation fails as the logical switch is missing.
Fixed Issue 3099061: NSX Public Cloud Gateway (PCG) deployment failed in Azure due to missing Mellanox NIC driver.
Unable to deploy and use NSX PCG in Azure.
Fixed Issue 3119522: Managing the network latency after Distributed Firewall is enabled.
Some latency bound applications protected by Distributed Firewall might experience disconnects or unintended behavior.
Fixed Issue 3241202: Tier-1 CSP subnets stop getting advertised to the connected Tier-0 if the edge cluster of Tier-1 gateway is changed.
North-South datapath will break for Tier-1 CSP subnets.
Fixed Issue 3114135: Policy identity store configuration is not synced to manager.
Some policy identity firewall configurations might be missed on manager. The Active Directory sync will not work.
Fixed Issue 3240118: FirewallRule addition in FirewallSection takes longer time than expected to be realized on hosts or edge nodes.
There will be a delay in rule realization to hosts.
Fixed Issue 3229358: VLANs of Global Manager Segments (Segments which are attached to Default Overlay Transport Zone and doesn't have transport_zone_path property) don't get displayed in Default Overlay Transport Zone's VLAN field's helptext while editing Transport Zone.
There will be an error from API on editing Default Overlay Transport Zone if you enter values which do not include VLAN values mentioned in the linked Global Manager Segment.
Fixed Issue 3220511: Spoof guard profile and Switch security profile come from different MP profile messages. Updating them in different transaction causes CCP to lose the previous Spoof guard updates.
The VM traffic is not blocked.
Fixed Issue 3219930: VM loses connectivity to the network after vMotion.
Network traffic will be down for the VMs that are affected by this issue.
Fixed Issue 3219829: Baremetal edge software kernel panic.
System does not come up.
Fixed Issue 3215632: NSX 4.1.0 UI configures same quota limits for all projects having same prefix.
Pre-configured quotas for Project in NSX 4.1.0 will apply to all the projects starting with same prefix.
Fixed Issue 3213059: VDPI application coredump found.
Brief disruption in L7 traffic processing.
Fixed Issue 3092553: Connectivity issues to vCenter Public IP/FQDN from an allowlist source inside the SDDC.
Unable to access the Public IP/FQDN of the SDDC vCenter from an allowlist source inside the SDDC as the route.
Fixed Issue 3210494: After deployment of an XL Edge with 4K RX ring size, a datapath memory usage alarm might get raised.
In the unlikely case that traffic is backed up on TX, there may be an insufficient number of buffers available for internal queuing.
Fixed Issue 3185804: Host preparation gets stuck at 96%.
Though all configurations are correctly pushed to the host, the transport node status never goes to success.
Fixed Issue 3184792: IDPS engine process crashes with a mix of http and smb traffic.
Detection/prevention functionality goes down for a short time.
Fixed Issue 3182288: East/West multicast doesn’t work without enabling PIM on a tier-0 uplink in Active-Active.
There is an inconsistency between Active-Active and Active-Standby requirements.
When there is upgrade from Active-Standby to Active-Active, PIM needs to be enabled on the tier-0 uplink explicitly for East-West traffic to work.
Fixed Issue 3167374: Orphan firewall rules due to discrepancies in handling overlapping database transactions under churn scenario.
Unavailability of appliance (CCP) resulting in publishing failures of firewall rule.
Fixed Issue 3165390: When a large number of FQDN Domain-IP mapping list is scrubbed, Purple Screen Of Death (PSOD) can happen on the ESXi host during vMotion.
PSOD of ESXi host can disrupt the Distributed Firewall (DFW) rule enforcement on the traffic.
Fixed Issue 3164468: NSX distributed firewall rules are lost after VMotion of a VM connected to DVPortgroup.
Loss of distributed firewall configuration for some VMs in the NSX enabled cluster.
Fixed Issue: PortDiscoveryProfileBindingMap entries are not cleaned up after deletion.
There could be a memory exhaustion leading to java.lang.OutOfMemoryError. Proton service could be sluggish and UI may become inaccessible.
Fixed Issue 3160287: When MON is configured, the src MAC of the packets routed/forwarded from Virtual Distributed Router (VDR) is not consistent.
When the workload learns the gateway MAC through the SMAC, packets will not be successfully routed.
Fixed Issue 3157430: Using node-profile in NSX Manager UI to update syslog settings triggers critical alerts (Edge Node settings mismatch) on edges.
A false alarm is raised due to this issue.
Fixed Issue 3152221: CCP fullsync with Corfu goes into error state after temporary disconnect and reconnect.
Realization will fail due to this issue.
Fixed Issue 3151615: BGP neighbor shows tier-0 interface's old IP as the source address even after changing the tier-0 external interface IP.
Edge will unnecessarily try to connect to the BGP neighbor after changing the interface IP that is not reachable.
Fixed Issue 3151441: After upgrading to NSX 4.1.0, the UI is not accessible if the browser locale is set to non-English or to a locale not supported by NSX.
The UI is not accessible if the browser locale is non-English or to a locale not supported by NSX.
Fixed Issue 3117000: Compactor stops getting triggered leading to increased disk space.
The NSX UI might become unresponsive.
Fixed Issue 3114329: Intel QuickAssist Technology (QAT) is not coming up post bare metal NSX edge installation.
Intel QuickAssist Technology (QAT) is a hardware accelerator technology designed to offload computationally intensive cryptographic and compression/decompression algorithms from the CPU to dedicated hardware. Because of this issue, Intel QAT cannot be used to improve the throughput performance of the VPN service with bare metal NSX edge.
Fixed Issue 3110284: Unable to stretch tier-0 gateway.
In Federation, if the span of gateway is extended by adding new location (whose ID starts with ID of already added location) then UI shows operation as successful. However, the gateway is not stretched and updated location under gateway is not visible.
Fixed Issue 3110235: If interfaces are created on tier-0 on which multiple locations are selected, filtering does not work properly.
Filtering in interfaces does not work.
Fixed Issue 3110133: Bare Metal(BM) edge deployment_type is incorrectly reported as VIRTUAL_MACHINE in the response of API https://{{mp}}/api/v1/transport-node.
Users consuming this API get incorrect information about deployment_type of Bare Metal(BM) edge.
Fixed Issue 3109125: IDPS services crashes on one or more hosts in the cluster.
The IDPS service automatically restarts after a crash. However, it would be unavailable briefly (a few seconds till it restarts) and the concerned traffic will not be subject to the IDPS inspection during this time.
Fixed Issue 3108466: Upgrade pre-checks get stuck in the NSX 4.1.0 release for upgrades from NSX 3.2.x to NSX 4.1.0 and NSX 4.0.1 to NSX 4.1.0.
Upgrade from 3.2.x to 4.1.0 and 4.0.1 to 4.1.0 might get stuck.
Fixed Issue 3108202: User is able to delete default domain.
User cannot add global groups and security policies.
Fixed Issue 3106313: Emergency Edge Firewall policy/section is imported to Global Manager (GM) during Local Manager (LM) brownfield onboarding, which results in importing these rules from LM to GM. LM administrators cannot manage these rules on LM after importing them to GM.
Local Manager administrators cannot modify or delete emergency rules from the LM after the emergency section is synced from GM to LM.
Fixed Issue 3104775: Bare Metal(BM) edge deployment_type is incorrectly reported as VIRTUAL_MACHINE in the response of API https://{{mp}}/api/v1/transport-node.
Users consuming this API get incorrect information about deployment_type of Bare Metal(BM) edge.
Fixed Issue 3103168: Core dumps are observed on ESX transport node for opsAgent component.
The "nsx-opsagent" application is getting crashed.
Fixed Issue 3100990: Upgrade data migration from 3.2.0 or 3.2.0.1 to 4.1.0 will fail during pre-upgrade check if some tables are corrupted.
The pre-upgrade check will fail at data migration step and block the subsequent actual upgrade.
Fixed Issue 3100531: Regression in realization workflow for Firewall enable/disable settings due to introduction of custom project level firewall settings.
Firewall Settings (also known as firewall enable/disable status) and Firewall Exclude List features are not correctly realized to hosts.
Fixed Issue 3099343: Error message is not clear while updating the transport node with a non-existing transportzoneprofile.
As error message is not clear, proper action cannot be taken while updating the transport node with a non-existing transportzoneprofile.
Fixed Issue 3099338: In a Distributed Virtual Port Groups (DVPG) deployment, snooping-based IP discovery (ARP/ND/DHCP) remove all IPs once the storage vMotion is started. The discovered IPs will not recover until ARP/ND/DHCP packets are seen again.
This issue occurs due to com.vmware.port.extraConfig.logicalPort.id getting cleared right after the storage vMotion is started. Discovered IPs can be consumed by Distributed Firewall and Spoofguard. Not having them might result in traffic outage and security issues. However, the issue should self recover in several minutes for ARP/ND snooping. For DHCP snooping, the issue should recover within the DHCP lease time.
Fixed Issue 3098264: Application nsx-cfgagent crashed on ESX hosts.
The application crashed alarm for nsx-cfgagent will be seen. The process restarts immediately and there is no disruption to datapath.
Fixed Issue 3097029: Mixed case Domain Names are allowed to be configured in L7 profiles of FQDN rules but the DNS server will provide the domain name in lowercase and therefore the DFW FQDN rule actions are not applied correctly.
DFW FQDN filtering does not work properly.
Fixed Issue 3096363: Certificate list was not showing “Certificate Category”. Existing “Service Certificate”: “Yes/No” information does not identify if a certificate is a Platform Certificate or a Principal Identity Certificate.
Existing information on the Certificate list was not helping to identify if a certificate is a Platform Certificate or a Principal Identity Certificate.
Fixed Issue 3094718: Different pools were not initialized, including DefaultContainerMacPoolCreator, DefaultVtepLabelPoolCreator, DefaultVniPoolCreator, DefaultMacPoolCreator.
Internal checkins were blocked.
Fixed Issue 3094267: On the standby GM, the UI shows that an object can be edited when the backend does not allow it to be edited.
You can edit the object in the UI but the changes are not saved.
Fixed Issue 3093946: NSX proxy core file "nsx-proxy-zdump.xxx" is generated on Transport Node due to memory spike.
Alarm will be generated due to the core. Workflow/Connections won't be affected post restart.
Fixed Issue: In a security only cluster, when the cluster is deleted from vCenter, the corresponding Transport Node Collection in NSX is not deleted as it is attached to a security TransportNode Profile that is created by the system. As a result, the stale TransportNode Collection remains in the system.
You will not be able to view the TransportNode Profiles present in the system using the NSX user interface.
Fixed Issue 3093699: ServiceInsertion policies cannot be removed cleanly.
You may not be able to remove Service Insertion policies after creating them.
Fixed Issue 3097982: Host installation fails with the error "Cannot complete login due to an incorrect user name or password" or multiple transport node UUIDs are created for a discovered node.
In rare scenarios, it is observed that duplicate transport node UUIDs are created resulting in transport node preparation failure.
Fixed Issue 3097815: Tier0 SR has been Standby on two Edge nodes due to incomparable healthiness if one of the services is configured as disabled or it becomes disabled.
Tier0 SR would stay in Standby mode on two edges causing traffic not available.
Fixed Issue 3091234: Blank display name and path fields in effective membership API response for CNS (Cloud native service) member.
No functional impact.
Fixed Issue 3089678: "get cluster vip" CLI is returning incorrect details of IPv6 post upgrade when VIP is switched.
Mostly display issue. The CLI is returning the wrong information. The UI shows the correct IP for cluster VIP.
Fixed Issue 3089410: The alarm communication.manager_fqdn_lookup_failure is not triggered when the IPv6 DNS is missing, whereas the alarm is triggered when the IPv4 DNS entry is missing.
Reduced usability because an alarm could be triggered to warn the user of an incorrectly configured DNS server, but isn't triggered.
Fixed Issue 3088726: When BGP is configured over VTI interface in an active-standby edge deployment, BGP is expected to be down on standby edge node, but still an active "BGP Down" alarm is generated on standby edge node.
No functional impact. But a false "BGP Down" alarm is observed on standby edge node.
Fixed Issue 3088183: LDAP authentication may time out intermittently. This can happen when ID Firewall is configured before LDAP authentication.
Unable to log into NSX using LDAP credentials. Must use local account.
Fixed Issue 3087551: After live upgrade, discovered bindings may go missing.
Missing discovered bindings can result in DFW/Spoofguard reconfiguration, which leads to traffic outage/security issue.
Fixed Issue 3086175: MP to Policy promotion failed when NSGroup with deleted Logical Port is attempted for promotion.
This fails MP to Policy promotion.
Fixed Issue 3085547: Incorrect Assigned To count in default project UI when tag is applied to Project VMs.
The tag count is incorrectly shown on the tagging screen. This does not affect the evaluation of tag-based-groups. This should not affect the datapath.
Fixed Issue 3085259: Post upgrade NSGroup shows "is_valid": false for static VIF members.
No functional impact.
Fixed Issue 3084933: Kubernetes tools upload fails on NSX during NSX Application Platform (NAPP) deployment.
You will be unable to deploy NAPP if Kubernetes tools version is not in sync on NSX managers.
Fixed Issue 3083334: "Static routing removed" alarm is seen in syslog file on every configuration push if static route is configured.
Repeated alarms are seen in syslog.
Fixed Issue 3081451: Old and new Segments (with different Transport Zones) all show up as part of "Project Default Transport Zone."
Misleading, but no functional impact.
Fixed Issue 3080991: When trying to resolve Mismatch alarm on Edge Transport Node config Uniform PassThrough (UPT) with Appliance value, the Edge configuration at Manager is not reconciled with UPT mode.
Upgrade impact, since alarms must be resolved before upgrade.
Fixed Issue 3076743: Migration is blocked if DLR/UDLR edge appliance is not deployed.
Migration is blocked if DLR/UDLR edge appliance is not deployed.
Fixed Issue 3075122: For Linux distros, new files downloaded via browsers are not analyzed by Malware Prevention.
Files are not scanned or analyzed. No malware detection or prevention occurs.
Fixed Issue 3074887: Edge cluster create fails since Transport Node internal flow causes config state flap between SUCCESS and IN_PROGRESS.
Edge cluster create fails with error_code: 15020.
Fixed Issue 3073723: SNAT port exhaustion alarm keeps coming up on the NSX Manager when there is no problem with SNAT ports exhaustion.
No functional impact.
Fixed Issue 3072849: PSOD During vMotion of VMs when FQDN is configured.
ESXi host will reboot.
Fixed Issue 3065709: Stub creation failed for around 27 seconds, failing the script copy.
Post Check error.
Fixed Issue 3051316: After modifying the port mirror destination from the UI, it may take 5 minutes to see that it's updated.
You must wait several minutes to observe the new value.
Fixed Issue 3046093: NSX Malware Prevention reinstall progress is not shown on the dashboard UI.
Status will be up again after install/uninstall is completed. Temporarily UI cards will show status as not deployed.
Fixed Issue 3045488: Disk IO error causes the batchProcessor thread to stop.
Unable to use NSX.
Fixed Issue 3045225: Redundant transport zone shown in UI, not API.
No functional impact.
Fixed Issue 3037150: For Groups with AD, Association API was not working.
Association API not working.
Fixed Issue 3027359: File type name is truncated to 12 characters resulting in inconsistency in display of file details on UI.
No functional impact.
Fixed Issue 2996248: When BGP and BFD are enabled over VTI, the BFD status is not updated in the BGP neighbor summary.
The CLI will show status as unknown (DC). Functionality is not impacted.
Fixed Issue 2974267: When the TCP Server reuses the port from TCP TIME_WAIT state flows, and when the client starts a new TCP session with Window Scaling Option, the packets from the server are dropped when they are bigger than a certain size.
The packets from the server are dropped when they are bigger than a certain size.
Fixed Issue 2946990: Slow memory leak in auth server (/etc/init.d/proxy) for local user authentication.
APIs start slowing down.
Fixed Issue 3259119: Unable to enable HCX Mobility Optimized Networking (MON).
The logical port update is failing with a "An existing transaction is still in progress" error during a validation pre-updating the LogicalPort.
Fixed Issue 3046183 and 3047028: After activating or deactivating one of the NSX features hosted on the NSX Application Platform, the deployment status of the other hosted NSX features changes to In Progress. The affected NSX features are NSX Network Detection and Response, NSX Malware Prevention, and NSX Intelligence.
After deploying the NSX Application Platform, activating or deactivating the NSX Network Detection and Response feature causes the deployment statuses of the NSX Malware Prevention feature and NSX Intelligence feature to change to In Progress. Similarly, activating and deactivating the NSX Malware Prevention feature causes the deployment status of the NSX Network Detection and Response feature to In Progress. If NSX Intelligence is activated and you activate NSX Malware Prevention, the status for the NSX Intelligence feature changes to Down and Partially up.
Fixed Issue 3108693: Project admin will not be able to configure the dns-forwarder feature from the UI.
If you are logged in as a ‘project-admin’ then T1s under project-scope are not listed in the drop-down menu on the dns-forwarder page. As a result, project-admin is not able to configure the dns-forwarder feature from UI.
Fixed Issue 3043600: The NSX Application Platform deployment fails when you use a private (non-default) Harbor repository with a self-signed certificate from a lesser-known Certificate Authority (CA).
If you attempt to deploy the NSX Application Platform using a private (non-default) Harbor repository with a self-signed certificate from a lesser-known CA, the deployment fails because the deployment job is unable to obtain the NSX Application Platform Helm charts and Docker images. Because the NSX Application Platform did not get deployed successfully, you cannot activate any of the NSX features, such as NSX Intelligence, that the platform hosts.
Fixed Issue 2949575: After one Kubernetes worker node is removed from the cluster without draining the pods on it first, the pods will be stuck in terminating status forever.
NSX Application platform and applications on it might function partially or not function as expected.
Fixed Issue 3047727: CCP did not publish updated RouteMapMsg.
Routes not intended to be published are published.
Fixed Issue 3106317: When a VNIC MAC Address is changed in the guest, the changes may not be reflected in the filters programmed to the PNIC.
Potential Performance degradation.
Fixed Issue 3083358: Controller taking long time to join the cluster on controller reboot.
After controller reboot, the new configurations created on NSX Manager might face realization delay as the controller may take time to start.
Fixed Issue 3106950: After reaching the DFW quota, the creation of a new VPC under the project scope fails.
You cannot create a VPC under the project where the DFW quota has been reached.
Fixed Issue 3114329: Intel QAT is not coming up post Bare Metal NSX Edge installation.
Intel QuickAssist Technology (QAT) is a hardware accelerator technology designed to offload computationally intensive cryptographic and compression/decompression algorithms from the CPU to dedicated hardware. Because of this issue, you cannot use Intel QAT to improve the throughput performance of the VPN service with Bare Metal NSX Edge.
Fixed Issue 3098639: Upgrade of NSX Manager fails due to reverse-proxy/auth service's failure to enter maintenance mode during upgrade.
Upgrade failure of NSX Manager.
Fixed Issue 3121377: Purple Screen Of Death (PSOD) on ESX.
Traffic impacted due to transport node going down.
Fixed Issue 3113067: Unable to connect to NSX-T Manager after vMotion.
When upgrading NSX from a version lower than NSX 3.2.1, NSX manager VMs are not automatically added to the firewall exclusion list. As a result, all DFW rules are applied to manager VMs, which can cause network connectivity problems.
This issue does not occur in fresh deployments from NSX 3.2.2 or later versions. However, if you are upgrading from NSX 3.2.1 or earlier versions to any target version up to and including NSX 4.1.0 this issue may be encountered.
Fixed Issue 3113073: DFW rules are not getting enforced for some time after enabling lockdown mode.
Enabling lockdown mode on a transport node can cause a delay in the enforcement of DFW rules. This is because when lockdown mode is enabled on a transport node, the associated VM may be removed from the NSX inventory and then recreated. During this time gap, DFW rules may not be enforced on the VMs associated with that ESXi host.
Fixed Issue 3113076: Core dumps not generated for FRR daemon crashes.
In the event of FRR daemon crashes, core dumps are not generated by the system in the /var/dump directory. This can cause BGP to flap.
Fixed Issue 3113085: DFW rules are not applied to VM upon vMotion.
When a VM protected by DFW is vMotioned from one host to another in a Security-Only Install deployment, the DFW rules may not be enforced on the ESX host, resulting in incorrect rule classification.
Fixed Issue 3113093: Newly added hosts are not configured for security.
After the installation of security, when a new host is added to a cluster and connected to the Distributed Virtual Switch, it does not automatically trigger the installation of NSX on that host.
Fixed Issue 3113100: IP address is not realized for some VMs in the Dynamic security groups due to stale VIF entry.
If a cluster has been initially set up for Networking and Security using Quick Start, uninstalled, and then reinstalled solely for Security purposes, DFW rules may not function as intended. This is because the auto-TZ that was generated for Networking and Security is still present and needs to be removed in order for the DFW rules to work properly.
Fixed Issue 3118868: Incorrect or stale vNIC filters programmed on pNIC when overlay filters are programmed around the same time as a pNIC is enabled.
vNIC filters programmed on pNIC may be stale, incorrect, or missing when overlay filters are programmed around the same time as a pNIC is enabled, resulting in a possible performance regression.
Fixed Issue 3152195: DFW rules with Context Profiles with FQDN of type .*XYZ.com fail to be enforced.
DFW rule enforcement does not work as expected in this specific scenario.
Fixed Issue 3116294: Rule with nested group does not work as expected on hosts.
Traffic not allowed or skipped correctly.
Fixed Issue 3155845: PSOD during vMotion when FQDN filtering is configured.
ESXi host will reboot.
Fixed Issue 3163020: When the FQDN in DNS packets differs in text case with the Domain Names configured in L7 profiles of FQDN rules, the DFW FQDN rule actions are not applied correctly.
DFW FQDN rule actions are not applied correctly. DFW FQDN filtering does not work properly.
Fixed Issue 3186573: CorfuDB Data loss.
Sudden loss of some configurations. Unable to create/update some configurations.
Fixed Issue 2491800: Async Replicator channel port-certificate attributes are not periodically checked for expiry or revocation.
This could lead to using an expired/revoked certificate for an existing connection.
Fixed Issue 2877776: "get controllers" output may show stale information about controllers that are not the master when compared to the controller-info.xml file.
This CLI output is confusing.
Fixed Issue 2889482: The wrong save confirmation is shown when updating segment profiles for discovered ports.
The Policy UI allows editing of discovered ports but does not send the updated binding map for port update requests when segment profiles are updated. A false positive message is displayed after clicking Save. Segments appear to be updated for discovered ports, but they are not.
Fixed Issue 3017840: An Edge switch over doesn't happen when uplink IP address is changed.
Wrong HA state might result in blackholing of traffic.
Issue 3359454: Edge datapath may stop forwarding traffic due to epconn connection getting closed to NSXA process.
Edge agent attempts FW HA sync on a LS/LR that does not have HA enabled
Workaround: Refer to KB Article 324170.
Issue 3356675: In a environment comprising of DFW IPFIX, session established state for TCP flows may be incorrectly set.
For certain TCP flows, the session established flag was set to TRUE when it was not.
Workaround: None.
Issue 3326723: Upgrade precheck fails with Out of Memory error causing the upgrade to fail.
NSX manager upgrade is blocked.
Workaround: Contact customer support for assistance. The following steps need to be executed with the help of customer support.
1. SSH to one of the NSX manager node using 'root' user. ssh root@<ip>
2. Stop the NSX manager proton process. /etc/init.d/proton stop
3. Run below command. /opt/vmware/bin/corfu_tool_runner.py -t EntityBarrier -n nsx -o clearTable
4. Start the NSX manager proton process. /etc/init.d/proton start
5. Run the NSX manager upgrade pre-check. It should pass now.
Issue 3313729: V2T migration fails if only "NSX for vSphere - Standard" license is applied in NSX-T. This license doesn't support DFW.
Config migration fails due to license.
Workaround: None.
Issue 3305927: In NSX Federation environments, IDFW view user sessions don't return any data.
A NullPointerException error is seen while accessing some of cluster enable/disable information. IDFW user sessions are not visible in the API/UI, but there is no impact to firewall functionality.
Workaround: None.
Issue 3290636: DFW intermittently drops TCP packets for long lived connections.
Occasional communication failure between VMs.
Workaround: None
Issue 3266660: PSOD might occur during NSX for vSphere to NSX migration under heavy traffic load.
Migration from NSX for vSphere to NSX-T fails with PSOD error.
Workaround: To prevent a PSOD from occurring:
1) Disable DFW, migrate all VMS, then re-enable DFW.
2) Migrate from NSX-v to NSX-T version 3.2.3.1 or 4.1.0.2 and once VM migration is complete, upgrade to 4.1.1.
Issue 3109810: Intermittent FQDN rule enforcement failures.
Default rule hit.
Wordaround: Increase DNS TTL from UI.
Issue 3340718: PSOD (purple screen of death) may occur during NSX for vSphere to NSX-T migration under heavy traffic load.
Migration from NSX for vSphere is failing with PSOD error and cannot proceed further.
Workaround: To prevent a PSOD from occurring perform one of the following: 1) Disable DFW, migrate all VMs, then re-enable DFW. or 2) Migrate from NSX for vSphere to NSX-T version 3.2.3.1 or 4.1.0.2 and once the VM migration is complete, upgrade to 4.1.1 or later releases.
Issue 3222376: The NSX "Check Status" functionality in the LDAP configuration UI reports a failure when connecting to Windows Server 2012/Active Directory. This is because Windows 2012 only supports weaker TLS cipher suites that are no longer supported by NSX for security reasons.
Even though an error message displays, LDAP authentication over SSL works because the set of cipher suites used by the LDAP authentication code is different than the set used by the "Check Status" link.
Workaround: See knowledge base article 92869 for details.
Issue 3296976: Gateway Firewall may allow usage of unsupported Layer 7 App IDs as part of Context/L7 Access Profiles.
Please refer to the following page, which lists which App IDs are supported per NSX release - https://docs.vmware.com/en/NSX-Application-IDs/index.html.
Workaround: None
Issue 3167100: Tunnels new configuration take several minutes to be observed from UI.
It takes several minutes to observe the new tunnels information after configuring the host node.
Workaround: None.
Issue 3089238: Unable to register vCenter on NSX manager after the NSX-T extension is removed from vCenter on an NSXe setup.
Unable to register vCenter on NSX manager after removing the extension from vCenter. This disrupts communication between vCenter and NSX the manager.
Workaround: See knowledge base article 90847.
Issue 3082587: Communication between SHA and metrics MUX would fail in checking the host name.
The metrics transmission fails from SHA to metrics MUX.
Workaround: See KB article 93896 for details.
Issue 3211228: At present, even if the proxy is configured it is not used while connecting to the VMware download site to fetch the upgrade bundles. This results in failure in case of airgap scenarios.
Setups that have airgap scenarios will not be able to run the upload upgrade bundle API since they need the proxy to reach the download site.
Workaround: None.
Issue 3245183: The "join CSM command" adds CSM to MP cluster, but does not add the Manager account on CSM.
It will not be possible to continue with any other CSM work unless the Manager account is added on CSM.
Workaround:
Run the join command without including CSM login credentials.
Example:
join <manager-IP> cluster-id <MP-cluster-ID> username <MP-username> password <MP-password> thumbprint <MP-thumbprint>
Add NSX Manager details in CSM through UI.
a. Go to System -> Settings.
b. Click Configure on the Associated NSX Node tile.
c. Provide NSX Manager details (username, password, and thumbprint).
Issue 3234358: The child port realization is not succeeding because it's being invoked prior to the parent port invocation.
The child port is getting realized after five minutes from the parent port realization.
Workaround: None
Issue 3214034: Internal T0-T1 transit subnet prefix change after tier-0 creation is not supported by ESX datapath from Day 1.
In cases where tier-1 router is created without SR, traffic loss can happen if the transient subnet IP prefix is changed.
Workaround: Instead of changing the transient subnet IP prefix, delete and add Logical Router Port with a new transient subnet IP.
Issue 3248603: NSX Manager File system is corrupted or goes into read only mode.
In the /var/log/syslog, you may see log messages similar to the log lines below.
2023-06-30T01:34:55.506234+00:00 nos-wld-nsxtmn02.vcf.netone.local kernel - - - [6869346.074509] sd 2:0:1:0: [sdb] tag#1 CDB: Write(10) 2a 00 04 af de e0 00 02 78 00
2023-06-30T01:34:55.506238+00:00 nos-wld-nsxtmn02.vcf.netone.local kernel - - - [6869346.074512] print_req_error: 1 callbacks suppressed
2023-06-30T01:34:55.506240+00:00 nos-wld-nsxtmn02.vcf.netone.local kernel - - - [6869346.074516] print_req_error: I/O error, dev sdb, sector 78634720
2023-06-30T01:34:55.513497+00:00 nos-wld-nsxtmn02.vcf.netone.local kernel - - - [6869346.075123] EXT4-fs warning: 3 callbacks suppressed
2023-06-30T01:34:55.513521+00:00 nos-wld-nsxtmn02.vcf.netone.local kernel - - - [6869346.075127] EXT4-fs warning (device dm-8): ext4_end_bio:323: I/O error 10 writing to inode 4194321 (offset 85286912 size 872448 starting block 9828828)
Appliance may not work as normal.
Workaround: See knowledge base article 330478 for details.
Issue 3250489: Certificate does not get restored properly.
Some GM functionality that requires API calls to the LM will not work.
Workaround:
Get the thumbprint of the fresh certificate.
On the GM edit the connections settings of the LM and replace the thumbprint with the one for the fresh certificate.
Issue 3245216: In a federated setup, cross-site UI stops working intermittently.
The browser needs to be occasionally refreshed.
Workaround: Refresh the browser.
Issue 3233914: NSX reverse-proxy (due to bug in boringssl) fails to load a certificate if its length is multiple of 253. The certificate is of service_type CLIENT_AUTH.
NSX reverse-proxy (envoy) fails to start after a restart (including upgrade). This will cause API and UI to be inaccessible.
Workaround: Log in to NSX unified appliance and delete the certificate using command:
curl -H "x-nsx-username: admin" -X DELETE http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<cert-id>
Where cert-id is the ID of certificate of service_type client_auth and having length multiple of 253. (The length of certificate is counted for string pem_encoded of API /api/v1/trust-management/certificates and excluding "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".) Make sure the certificate to be deleted is of service_type CLIENT_AUTH.
Issue 3145013: NCP pod deletion fails because of stale LogicalPorts on NSX.
NCP pod deletion could become stuck.
Workaround: Manually clean up the stale LogicalPorts on the underlying LogicalSwitch.
Issue 3245645: The Datapath CPU usage graph on the UI does not reflect the correct values.
The Time series database values on the graph are not correct. This may impact diagnosis of high CPU usage over a period of time.
Workaround: You can use the instantaneous Datapath CPU stats shown on the left side of the graph.
Issue 3221820: User is allowed to edit the TZP ID when updating the transport node via API.
The user will not be able to make subsequent updates to the transport node.
Workaround: Contact VMware support.
Issue 3245222: NSX Manager upgrade dry run tool fails at InternalLogicalPortMigrationTask.
NSX Manager upgrade is blocked.
Workaround: Manually clean up the stale Port Profile Binding Maps and retry the upgrade dry run.
Issue 3249446: Service Insertion North South Active/Standby (HA) deployments triggers alarms even if deployment is successful.
Users are encouraged to remove deployments (although not required). Users delete deployments for no reason.
Workaround: Ignore the alarm if the deployment is successful.
Issue 3069003: Excessive LDAP operations on customer LDAP directory service when using nested LDAP groups.
High load on LDAP directory service in cases where nested LDAP groups are used.
Workaround: For vROPS prior to 8.6, use the "admin" local user instead of an LDAP user.
Issue 3014499: Powering off Edge handling cross-site traffic causes disruption some flows.
Some cross-site traffic stopped working.
Workaround: Power on the powered-off edge.
Issue 3010038: On a two-port LAG that serves Edge Uniform Passthrough (UPT) VMs, if the physical connection to one of the LAG ports is disconnected, the uplink will be down, but Virtual Functions (VFs) used by those UPT VMs will continue to be up and running as they get connectivity through the other LAG interface.
No impact.
Workaround: None.
Issue 2490064: Attempting to disable VMware Identity Manager with "External LB" toggled on does not work.
After enabling VMware Identity Manager integration on NSX with "External LB", if you attempt to then disable integration by switching "External LB" off, after about a minute, the initial configuration will reappear and overwrite local changes.
Workaround: When attempting to disable vIDM, do not toggle the External LB flag off; only toggle off vIDM Integration. This will cause that config to be saved to the database and synced to the other nodes.
Issue 2558576: Global Manager and Local Manager versions of a global profile definition can differ and might have an unknown behavior on Local Manager.
Global DNS, session, or flood profiles created on Global Manager cannot be applied to a local group from UI, but can be applied from API. Hence, an API user can accidentally create profile binding maps and modify global entity on Local Manager.
Workaround: Use the UI to configure system.
Issue 2838613: For ESX version less than 7.0.3, NSX security functionality not enabled on VDS upgraded from version 6.5 to a higher version after security installation on the cluster.
NSX security features are not enabled on the VMs connected to VDS upgraded from 6.5 to a higher version (6.6+) where NSX Security on vSphere DVPortgroups feature is supported.
Workaround: After VDS is upgraded, reboot the host and power on the VMs to enable security on the VMs.
Issue 2871440: Workloads secured with NSX Security on vSphere dvPortGroups lose their security settings when they are vMotioned to a host connected to an NSX Manager that is down.
For clusters installed with the NSX Security on vSphere dvPortGroups feature, VMs that are vMotioned to hosts connected to a downed NSX Manager do not have their DFW and security rules enforced. These security settings are re-enforced when connectivity to NSX Manager is re-established.
Workaround: Avoid vMotion to affected hosts when NSX Manager is down. If other NSX Manager nodes are functioning, vMotion the VM to another host that is connected to a healthy NSX Manager.
Issue 2871585: Removal of host from DVS and DVS deletion is allowed for DVS versions less than 7.0.3 after NSX Security on vSphere DVPortgroups feature is enabled on the clusters using the DVS.
You may have to resolve any issues in transport node or cluster configuration that arise from a host being removed from DVS or DVS deletion.
Workaround: None.