VMware has made NSX for vSphere 6.2.4 available for download. NSX 6.2.4 provides critical bug fixes identified in previous releases, and 6.2.4 delivers a security patch for CVE-2016-2079 which is a critical input validation vulnerability for sites that uses NSX SSL VPN.
- For customers who use SSL VPN, VMware strongly recommends a review of CVE-2016-2079 and an upgrade to NSX 6.2.4.
- For customers who have installed NSX 6.2.3 or 6.2.3a, VMware recommends installing NSX 6.2.4 to address critical bug fixes.
Caution: Before upgrading, consult the NSX 6.2.4 Release Notes available from the NSX Documentation Center and Recommended minimum version for NSX for vSphere with GID, ESXi, and vCenter Server (2144295).
Critical Alert on 6.2.3 and 6.2.3a for DLR users: For more information, see “Fixed issue 1703913: NSX DLR HA nodes remain in a split-brain state” in the NSX for vSphere 6.2.4 Release Notes and VMware Knowledge Base article NSX 6.2.3 DLR HA nodes remain in a split brain state (2146506). This issue will occur after approximately 24 days of BFD uptime and will continue to reoccur every 24 days.
Customers who are using 6.2.3 or 6.2.3a are strongly advised to review KB 2146506, review how to prevent or remediate the issue, and plan to upgrade to NSX 6.2.4.
vShield Endpoint Update
VMware has announced the End of Availability (EOA) and End of General Support (EOGS) of VMware vCloud Networking and Security 5.5.x. The EOGS date for VMware vCloud Networking and Security 5.5.x is September 19, 2016. For customers using vCNS Manager specifically to manage vShield Endpoint for agentless anti-virus, Technical Guidance is available until March 31, 2017. For more information, see End of Availability and End of General Support for VMware vCloud Networking and Security 5.5.x (2144733).
For more information on additional partner solution availability, see Implementation of VMware vShield Endpoint beyond vCloud Networking and Security End of Availability (EOA) (2110078).
Note: Consult the VMware Compatibility Guide for Endpoint partner solution certification status before upgrading. If your preferred solution is not yet certified, contact that vendor.
How to track the top field issues
This blog has been updated to reflect new information as it was provided. Changes are marked with an *.
VMware NSX for vSphere 6.2.3 Update
- NSX for vSphere 6.2.3 has an issue that can affect both new NSX customers as well as customers upgrading from previous versions of NSX. The NSX for vSphere 6.2.3 release has been pulled from distribution. The current version available is NSX for vSphere 6.2.2, which is the VMware minimum recommended release. Refer to KB 2144295. VMware is actively working towards releasing the next version to replace NSX for vSphere 6.2.3 *
- VMware NSX for vSphere version 6.2.3 delivered a security patch to address a known SSL VPN security vulnerability (CVE-2016-2079) . This issue may allow a remote attacker to gain access to sensitive information. Customers who use SSL VPN are strongly advised to review CVE-2016-2079 and contact VMware support to request immediate assistance. For questions or concerns, contact VMware Support. *
- The next version of NSX for vSphere contains fixes for bugs that have been found in NSX 6.2.3.
- Customers who have already upgraded to 6.2.3 are advised to review the following KB articles:
- VMware knowledge base article 2146227, VMs using Distributed Firewall (DFW) and Security Groups (SG) may experience connectivity issues. A workaround is available. *
- VMware knowledgebase article 2146293, Virtual machines lose network connectivity in NSX 6.2.x. *
- VMware Knowledgebase article 2146413, VMs lose network connectivity in NSX with DLR HA. *
Critical Alert for Edge DLR users on NSX 6.2.3 and 6.2.3a *
- NSX 6.2.3 DLR HA nodes remain in a split brain state (2146506) *
- A new issue has been identified that can cause both primary and secondary HA nodes into an Active State, causing network disruption.
- This issue will occur after approximately 24 days of BFD uptime and will continue to reoccur every 24 days.
- Customers who are using NSX-V 6.2.3 or 6.2.3a are strongly advised to review KB 2146506, review how to prevent or remediate the issue and plan to upgrade to the next version of NSX.
For questions or concerns, contact VMware Support. To contact VMware support, see Filing a Support Request in My VMware (2006985) or How to Submit a Support Request.
Top NSX for vSphere issues for July 2016
NSX for vSphere 6.2.3 other new and changed issues
- vCloud Director 8.0.1 is now interop-tested and supported with NSX 6.2.3. For more information, see the VMware Interoperability Matrix
- VMware is working actively with anti-virus solution partners to influence completion of their certification testing efforts with both NSX 6.2.2 and 6.2.3. For more information, see the VMware Compatibility Guide (VCG)
Other trending issues
Known interoperability issues during upgrade to NSX for vSphere 6.2.3
Note: VMware vSphere 6.0 supports VIB downloads over port 443 (instead of port 80). This port is opened and closed dynamically. The intermediate devices between the ESXi hosts and vCenter Server must allow traffic using this port.
How to track Top Field Issues
End of General Support for VMware NSX for vSphere 6.1.x has been extended by 3 months to January 15th, 2017. This is to allow customers to have time to upgrade from NSX for vSphere 6.1.7, which contains an important security patch improving input validation of the system, to the latest 6.2.x release. For recommended upgrade paths, refer to the latest NSX for vSphere 6.2 Release Notes and the VMware Interoperability Matrix.
Migration of Service VM (SVM) may cause ESXi host issues in VMware NSX for vSphere 6.x (2141410). See also the CAUTION statement in the 6.2.3 Administration Guide.
Do not migrate the Service VM (SVM) manually (vMotion/SvMotion) to another ESXi host in the cluster.
The latest versions of vSphere 5.5 and 6.0 inhibit vMotion migration. However, storage vMotion is not blocked, and such movement may lead to unpredictable results on the destination host.
vCenter Server 6.0 restart/reboot results in duplicate VTEPs on VXLAN prepared ESXi hosts (2144605). The NSX-side update to protect against this issue is available in 6.2.3. This issue will be resolved fully in a future version of vCenter.
Important new and changed documentation with NSX for vSphere 6.2.3 – see the NSX Documentation Center
How to track the top field issues
VMware is actively working to address a recently discovered issue wherein an incremental backup becomes a full backup when backing up Windows 2008 (or higher) virtual machines with VSS-based application quiesced snapshot.
This recent CBT (Changed Block Tracking) issue does not cause any data loss or data corruption.
This issue is well understood and VMware engineering is actively working on a fix.
For more details on this issue and latest status on resolution, please refer to KB article: After upgrading to ESXi 6.0 Build 3825889, incremental virtual machine backups effectively run as full backups when application consistent quiescing is enabled (2145895)
Subscribe to the rss feed for the KB article to ensure you do not miss any update by using this link.
Our NSX support team would like all of our customers to know about important KB updates for NSX for vSphere issues.
Here’s what’s new and trending-
Important: Upgrades from NSX for vSphere 6.1.6 to 6.2.2 are not supported.
See KB 2145543 NSX Controller upgrade fails with the error: 409 (Conflict); invoking error handler.
vCloud Networking and Security will reach End of Availability and End of General Support on September 19, 2016.
NEW! See our first NSX KBTV YouTube video: https://youtu.be/5pSNfnk1_MA
vShield Endpoint and vCNS End Of Availability (EOA) – See:
KB 2105558 Support for partner integrations with VMware vShield Endpoint and VMware vCloud Networking and Security.
KB 2110078 Implementation of VMware vShield Endpoint beyond vCloud Networking and Security End of Availability (EOA).
Future releases of NSX for vSphere 6.2.x will enable customers to manage vShield Endpoint from NSX Manager. Customers who purchased vSphere with vShield Endpoint will be able to download NSX.
NSX for vSphere 6.1.x will reach End of General Support on October 15, 2016.
NEW! VMware has extended the End of General Support date to three years after GA for NSX for vSphere 6.2.x only. The VMware Lifecycle Product Matrix now reflects this change.
New and Important issues:
KB 2144551 Configuring a default gateway on the DLR in NSX fails
KB 2144605 vCenter 6.0 restart/reboot may result in duplicate VTEPs on VXLAN prepared ESX hosts.
KB 2143998 NSX Edge virtual machines do not failover during a vSphere HA event
KB 2145571 NSX Edge fails to power on when logging all ACCEPT firewall rules
KB 2145468 NSX Edge uplink interface does not process any traffic after it is disabled and re-enabled in ECMP environment
KB 2139067 Shutdown/Startup order of the NSX for vSphere 6.x environment after a maintenance window or a power outage. Please refer to the updated sequence for a cross VC environment.
KB 2145447 NetX/Service Instance filter created in vCNS disappears after upgrading to NSX
KB 2145322 NSX Edge logs show Memory Overloaded warnings
KB 2144901 Unexpected TCP interruption on TCP sessions during Edge High Availability (HA) failover in VMware NSX for vSphere 6.2.x
KB 2145273 Troubleshooting DLR using NSX Central CLI
KB 2145359 Pings fail between two VMs on different hosts across a logical switch
How to track the top field issues: