VMware NSX 4.1.2.3 | 12 MAR 2024 | Build 23382408 Check for additions and updates to these release notes. |
VMware NSX 4.1.2.3 | 12 MAR 2024 | Build 23382408 Check for additions and updates to these release notes. |
NSX 4.1.2.3 is an update release that comprises bug fixes and security updates. See "Resolved Issues" below for the list of issues resolved in this release. See the VMware NSX 4.1.2 Release Notes for the list of new features introduced in NSX 4.1.2 and for the current known issues.
Support for Solution License for VMware Cloud Foundation (VCF)
Starting with NSX 4.1.2.3, NSX Networking is part of a single solution license for VCF.
For more information on the VCF Solution License, see the VMware Cloud Foundation 5.1.1 Release Notes.
VMware NSX now accepts entitlements through vCenter Server for VMware Cloud Foundation (VCF). Rather than requiring separate license keys, VMware NSX uses the vSphere keys associated with VCF for entitlement after the key is applied to vCenter Server. Upon vCenter Server registration, VMware NSX automatically recognizes the entitlement.
Support for older licenses will continue. However, if the vSphere 8 Enterprise Plus for VMware Cloud Foundation License Key is applied to the vCenter Server, NSX will receive entitlement from this vCenter Server.
Support for New Add-on License Keys
NSX 4.1.2.3 adds support for new “VMware Firewall”, “VMware Firewall with Advanced Threat Prevention”, and “VMware Advanced Threat Prevention” license keys introduced in May 2024. These keys are accepted via the VMware NSX Manager licensing UI/API, and require a prerequisite of the Solution License for VCF (i.e. license key named “vSphere 8 Enterprise Plus for VCF”). See Current NSX Feature Entitlement for specific functions by edition.
For details, see the NSX Administration Guide.
Change in NSX Product Download Location
The download location for the NSX product has changed.
Log in to the Downloads page on the Broadcom Support portal at https://support.broadcom.com/group/ecx/downloads.
On the My Downloads page, go to the required division, either VMware Cloud Foundation or Application Networking and Security. Depending on your license type, you can find your purchased NSX SKU listed under VMware Cloud Foundation or Application Networking and Security.
Click the product name and release number to download the required file.
For more information, see the Knowledge Base article.
For compatibility and system requirements information, see the VMware Product Interoperability Matrices and the NSX Installation Guide.
For instructions about upgrading NSX components, see the NSX Upgrade Guide.
Customers upgrading to this release are recommended to run the NSX Upgrade Evaluation Tool before starting the upgrade process. The tool is designed to ensure success by checking the health and readiness of your NSX Managers prior to upgrading. The tool is integrated into the Upgrade workflow, before you begin upgrading the NSX Managers.
NSX has been localized into multiple languages: English, German, French, Japanese, Simplified Chinese, Korean, Traditional Chinese, Italian, and Spanish. Because NSX localization utilizes the browser language settings, ensure that your settings match the desired language.
Revision Date |
Edition |
Changes |
---|---|---|
Mar 12, 2024 |
1 |
Initial edition |
May 06, 2024 |
2 |
Updated "What's New" section |
Fixed Issue 3353346: L7 Datapath daemon (nsx-vdpi) fails and restarts, resulting in L7 rule enforcement failures.
Traffic drop/rule enforcement failures during L7 datapath restart interval.
Fixed Issue 3347628: Host logs overrun by login attempts in hosts with SmartNICs.
Host logs flooded with logging for login/logout. This issue is applicable for all SmartNIC supported ESXi versions (ESXi 8.0 and later).
Fixed Issue 3347307: In security-only deployments, the logical segments and segment ports may be subject to deletion under certain conditions.
This issue can occur when two clusters sharing a distributed virtual switch (DVS) have NSX installed on one cluster, but not the other. When the cleanup task is triggered on the cluster without NSX, it mistakenly identifies the transport node profile and transport zone of the NSX-prepared cluster as stale and attempts to delete them, along with their associated segments and segment ports.
Fixed Issue: 3347231: Cannot paste a copied rule if a rule is copied from DFW rules filtered by Policy Name.
The user cannot paste a copied rule when the filter is applied. There is no major impact on customers as this is more about usability.
Fixed Issue 3346877: If the segment IPv6 gateway has a subnet prefix which is not a multiple of 8, the prefix advertised in the route advertisement (RA) is wrong.
The VM connected to the NSX segment which has IPv6 prefix which is not a multiple of 8 can see wrong routes in the routing table if it is configured to accept RA.
Fixed Issue 3346178: High CPU utilization in CBM component on Unified Appliance.
This issue can cause sluggish responsiveness for APIs and the user interface.
Fixed Issue 3342709: Connectivity issue when HCX NE VM that extends vSphere DVPG and a regular MAC learning workload VM exist together on the same ESX host switch.
Connectivity issue upon vMotion of HCX NE VM extending vSphere DVPG or when a broadcast packet comes through that NE VM (for example, due to vmotion of workload VMs or GARPs sent from those VMs on different sites). Because the HCX NE VM extending vSphere DVPG uses forged TX + SINK port configuration internally, the source MAC of those broadcast packets from NE VM can end up being learned from the uplink after which the connectivity can be lost due to a bug.
Fixed Issue 3340736: Drop in ESX packet performance between NSX 3.x and 4.x when running ESX 7.0 versions prior to ESX 7.0U3P6.
Customers may see increased latency or increased CPU utilization with NSX 4.x and ESX 7.0.
Fixed Issue 3340718: PSOD may occur during NSX for vSphere to NSX-T migration under heavy traffic load.
Migration from NSX for vSphere is failing with PSOD error and cannot proceed further.
Fixed Issue 3337897: After NSX Manager rolling upgrade, transport nodes may be unable to connect to CCP because of handshake failure.
Users may find some transport nodes unable to connect to CCP post rolling upgrade.
Fixed Issue 3337811: Usage of "0.0.0.0" and "::" in IP Sets or NS Groups can cause role evaluation failure.
DFW rule where group with 0.0.0.0 or :: is not working. This impacts Datapath and group membership/association APIs.
Fixed Issue 3336818: Cfgagent process on ESX host runs out of memory after 90 days and fails due to IP Reputation configuration related auto updates.
Customers will experience the application failure alarm. The watchdog ensures that the process is restarted immediately upon failure. There is no interruption to traffic as this only impacts configuration changes.
Fixed Issue 3332181: Using “::/0” in IPSets or NSGroup leads to group evaluation failure.
The DFW rule containing the NSGroup fails to evaluate correctly, resulting in traffic being hitting incorrect firewall rules.
Fixed Issue 3331716: Failure during the upload of K8s tool from local disk.
Customer will be unable to upload tools from local disk.
Fixed Issue 3331580: Spurious alarms generated for IDPS.
IDPS engine is reported as down when it is running properly.
Fixed Issue 3331052: After upgrading, NSX 4.1.1 is unable to start because of duplicate features present in custom role.
NSX 4.1.1 will be down.
Fixed Issue 3323384: Edge Dataplane failure during collection of support bundle.
Edge failover occurs.
Fixed Issue 3323383: NSX for vSphere to NSX-T import of TCP flows results in state being marked as CLOSED:CLOSED and flow timeout reset to 30 seconds.
Traffic will continue to hit this active flow as expected. The flow timeout, however, has been reset to 30 seconds, instead of the standard 43200 seconds. Depending on the application and traffic pattern, a premature timeout may cause problems.
Fixed Issue 3323382: NSX for vSphere to NSX-T vMotion import can produce host PSOD if imported data contains layer7 attributes.
There is an incompatibility in the expected record format of imported attribute data between NSX for vSphere and NSX-T. If an NSX-T host tries to apply the imported data, a PSOD is likely to occur.
Fixed Issue 3316958: Intermittent FQDN rule enforcement failures.
dfwpacket log shows that the expected FQDN rule is not always hit and the packets hit the default rule sometimes. This happens when domains which are not configured get the same IP.
Fixed Issue 3315299: Firewall rules apply to the NSX Edge or a VM despite being added to the DFW exclusion list.
When either InternalFirewallExcludeList entry or InternalDfwFirewallConfiguration entries are missing, it causes the ConfigSpanMsg for DISTRIBUTED_FIREWALL to be empty and disrupt the normal functionalities for firewall exclude list or NSX Edges.
Fixed Issue 3314455: PSOD in hosts with ESX 7.0U3 when Enhanced Data Path or Enhanced Network Stack is enabled.
ESX will fail with PSOD due to improper flow cash processing.
Fixed Issue 3314381: Dataplane core dump with Mellanox NIC.
The customer experiences the Edge being unavailable for packet forwarding until the dataplane has been restarted.
Fixed Issue 3314380: When traffic contains a mix of packets with VLAN priority set, TX drops may occur when using Mellanox NICs on a bare metal NSX Edge.
Traffic drop may cause application issues. If BFD packets are dropped, tunnels may flap.
Fixed Issue 3311962: Unable to view firewall rules statistics, such as hit counts and session counts, from the UI.
This happens only when an ALB appliance is deployed in the environment which will create another enforcement point alb-endpoint is used during rule stat API call from UI in addition to the default and the ab-endlpoint.
Fixed Issue 3311943: DFW intermittently drops TCP packets for long lived connections.
Occasional communication failure between VMs with DFW filter counters showing packets are dropped with "state mismatch" reason.
Fixed Issue 3310208: 403 error codes seen in the NSX Manager's access log for vRA calls.
vRA not working as expected due to 403 error codes returned from the NSX Manager.
Fixed Issue 3310159: Stateless rule hit count is not incrementing for IPv6 traffic.
The hit counter on the dashboard stays zero for the rule.
Fixed Issue 3307620: Add cluster is failing with failed to realize transport node error.
If TNC is being realized just after update of compute manager, then TNC realization can fail with ComputeManagerNotRegisteredException
Fixed Issue 3293669: In a teaming setup, more vNICs requesting RSS than there are RSS Engines.
A PSOD can result if there's a mix of Shared and Dedicated RSS requests. In rare cases this could even be hit with more Dedicated RSS requests than RSS Engines.
Fixed Issue 3290376: Out-of-order packet issue in enhanced data path (EDP) with sharedRSS used.
With EDP, out-of-order packets can be observed when an Edge VM transmits packets if pNIC NetQ shared RSS is used. For TCP, there can be retransmissions. For UDP, packets can be dropped depending on applications.