Home > Blogs > Support Insider > Category Archives: NSX

Category Archives: NSX

NSX Field Advisory – February 2017 Edition

NSX

Important Notes:

  • For up-to-date information on new products, patches, and fix announcements for VMware NSX for vSphere, subscribe to the following:

For an up-to-date Top Trending NSX issues, see KB Article Trending support issues in VMware NSX for vSphere 6.x (2131154).

Your support source for up-to-date news to ensure you’re getting the most out of your VMware NSX for vSphere products.

Environment Affected Issue Summary Work-Around
1 NSX for vSphere 6.3.0 VMware vSphere 6.5 is currently unsupported with NSX for vSphere 6.3.0. Use VMware vSphere 6.5a as this is the minimum supported version with NSX for vSphere 6.3.0. For more information, see KB 2148841.
2 NSX for vSphere 6.3.0 Upgrading to NSX for vSphere 6.3.0 halts or stops when Hardware Gateway is used in the environment. Contact VMware Support. VMware can assist on verifying your Hardware Gateway is TLS 1.2 compliant which allows the upgrade to move forward. For more information, see KB 2006985 or How to Submit a Support Request.
3 NSX for vSphere 6.1.x, 6.2.0, 6.2.1 An upgrade from NSX for vSphere 6.1.x, 6.2.0, and 6.2.1 to NSX for vSphere 6.2.5 fails if the cipher chain list is comma (“,”) separated. Starting with NSX for vSphere 6.2.6, the ciphers list must use a colon (“:”) instead of a comma (“,”) for separation. Ensure that this change has been made prior to upgrading to NSX for vSphere 6.2.6.
4 NSX for vSphere 6.2.4 Relating to CVE-2016-2107, the NSX Edge OpenSSL package is not updated with 1.0.2j. No workaround, must upgrade for fix. Starting with NSX for vSphere 6.2.6, NSX Edge OpenSSL package has been updated to 1.0.2j.
5 NSX for vSphere 6.2.4/6.2.5 Upgrading NSX Edge fails after upgrading your environment to NSX for vSphere 6.2.5 with vSphere High Availability (HA) enabled on a cluster with insufficient resources. Always ensure that your installation follows the best practices laid out for vSphere High Availability (HA). For more information, see KB 1002080.
6 NSX for vSphere 6.2.1 Virtual machines configured on Logical Switches where a DHCP relay agent is configured do not obtain IP addresses. Configure a DHCP server closer (fewer than 10 hops) to the virtual machines requesting addresses and point the DHCP relay to this server. For more information, see KB 2147322.

GA ANNOUNCEMENT

VMware NSX for vSphere 6.2.6 and 6.3.0 has been released on Thursday, February 2nd and is now available for download.

For more information, see the NSX for vSphere 6.2.6 and NSX for vSphere 6.3.0 Release Notes.

Fixed issues in NSX for vSphere 6.3.0

Things to be aware of:

  • NSX Data Security and Web Access Terminal has been removed.
  • NSX Activity Monitoring has been deprecated and has been replaced by Endpoint Monitoring.

For more information, see the NSX for vSphere 6.3.0 Release Notes.


TOP TRENDING ISSUES

Issues Affecting VMware NSX for vSphere 6.3.0

Issue #1

Symptom: What is the minimum supported version of vSphere 6.5 with NSX for vSphere 6.3.0?

Resolution: The minimum supported version of vSphere 6.5 with NSX for vSphere 6.3.0 is vSphere 6.5a. For more information, see For sites running VMware vSphere 6.5, vSphere update 6.5a is the minimum supported version with NSX for vSphere 6.3.0 (2148841).

Issue #2

Symptom: During an upgrade to VMware NSX for vSphere 6.3.0 where an HW VTEP is used in the environment, you may experience these symptoms:

  • Upgrade is halted.
  • You see the error similar to:Cannot continue upgrade due to errors: “(1)” Hardware Gateway(s) found in the system. Unable to proceed with the upgrade. Please contact VMWare Support to continue. Please correct before proceeding.

Workaround: Contact VMware Support. To contact VMware support, see Filing a Support Request in My VMware (2006985) or How to Submit a Support Request. VMware can assist in verifying your Hardware Gateway is TLS 1.2 compliant which allows the upgrade to move forward. For more information, see Upgrading to NSX for vSphere 6.3.0 fails when using Hardware Gateway (2148511).

Issues Affecting VMware NSX for vSphere 6.1.x, 6.2.0, 6.2.1

Issue #3

Symptom: If there is a cipher chain listed that is separated by commas (“,”), then upgrade from NSX for vSphere 6.1.x, 6.2.0, and 6.2.1 to NSX for vSphere 6.2.5 fails.

Resolution: Starting with NSX for vSphere 6.2.6, you can separate the ciphers with colons (“:”) instead of commas (“,”) before the upgrade.

Issues Affecting VMware NSX for vSphere 6.2.4

Issue #4

Symptom: Relating to CVE-2016-2107, the NSX Edge OpenSSL package is not updated with 1.0.2j.

Resolution: Starting with NSX for vSphere 6.2.6, NSX Edge OpenSSL package has been updated to 1.0.2j.

Issues Affecting VMware NSX for vSphere 6.2.4/6.2.5

Issue #5

Symptom: After upgrading your environment to NSX for vSphere 6.2.5 with vSphere High Availability (HA) enabled on a cluster having insufficient resources, you experience this symptom:
Upgrading the NSX Edge fails.

Workaround: This is as per the design. Refer the table below for the resource reservations used by the NSX Manager if you have not explicitly set values at the time of install or upgrade.

NSX Edge

FORM FACTOR CPU RESERVATION MEMORY RESERVATION
COMPACT 1000 MHz 512 MB
LARGE 2000 MHz 1024 MB
QUAD-LARGE 4000 MHz 2048 MB
X-LARGE 6000 MHz 8192 MB

Note: Always ensure that your installation follows the best practices laid out for vSphere High Availability (HA). For more information, see Best practices and advanced features for VMware High Availability (1002080).

Issues Affecting VMware NSX for vSphere 6.2.1

Issue #6

Symptom: When configuring DHCP relay agents on distributed logical router in NSX for vSphere, you experience these symptoms:

  • Virtual machines configured on Logical Switches where a DHCP relay agent is configured do not obtain IP addresses.
  • The DHCP server does not receive any initial DHCP discovery packets from the relay agent.
  • DHCP discovery packets are dropped in transit due to TTL expiry.

Resolution: This issue is resolved in NSX for vSphere 6.2.5. For more information, see DHCP relay agents do not function in NSX (2147322).


VMware Recommended release

NSX for vSphere 6.2.2 is still the “bare minimum” recommended release. For more information, see Minimum recommended version for NSX for vSphere with GID, ESXi, and vCenter Server (2144295).

Note: The Guest Introspection section has been recently updated. The recommended VMware Tools version is 10.1.0 and later.


We would like to hear from you. Send us your feedback by providing comments on the Feedback Box of KB Article Trending support issues in VMware NSX for vSphere 6.x (2131154).

Thank you for helping us continually improve this communication.


NSX Field Advisory – January 2017 Edition

Important Note

Subscribe to RSS Feed http://feeds.feedburner.com/NSX for up-to-date information on new products, patches, and fix announcements for VMware NSX for vSphere.

Minimum Recommended Release

NSX for vSphere 6.2.2 and vSphere 6.0 Update 2 remains the recommended release combination. For more information, see Minimum recommended version for NSX for vSphere with GID, ESXi and vCenter Server (2144295).

GA Announcement

VMware NSX for vSphere 6.2.5 is now available for download.

Fixed issues in NSX for vSphere 6.2.5

For additional information, see the Resolved Issues section of the NSX for vSphere 6.2.5 Release Notes.

Top issues and What to do

VMware NSX for vSphere 6.1.x

Issue #1:

As of June 9, 2016 with the release of NSX for vSphere 6.1.7, the EOGS date has been extended by 3 months, to January 15th, 2017 in support of all NSX for vSphere 6.1.x versions. This is to allow customers to have time to upgrade from NSX for vSphere 6.1.7, which contains an important security patch improving input validation of the system, to the latest 6.2.x release. For recommended upgrade paths, refer to the latest NSX for vSphere 6.2 Release Notes and the VMware Interoperability Matrix. For more information, see End of General Support: VMware NSX for vSphere 6.1.x (2144769).

Issue #2:

At the moment, NO versions of NSX for vSphere 6.x are compatible with vSphere 6.5. For an up-to-date information, see the VMware Interoperability Matrix. Also, see Update sequence for vSphere 6.5 and its compatible VMware products (2147289)

NSX for vSphere 6.2.4

Issue #1:

Symptom: High volume of MAC learning table updates with NSX L2 Bridge and LACP may lead to out of memory condition.

Workaround: Avoid setting a flow-based hashing algorithm on the physical switch when using LACP. Instead, pin MAC addresses to the same uplinks or change the policy to source-MAC. For more information, see Netcpa stops running on an ESXi host that runs a Bridging DLR VM (2147181).

Issue #2:

Symptom: Attempts to edit interfaces of vCNS or vShield 5.5.x Edges fails on NSX 6.1.5 and later releases.

Workaround: If you encounter this issue, file a support request with VMware Support and quote this Knowledge Base article ID (2148444) in the problem description. For more information, see:

Issue #3:

Symptom: NSX SSL-VPN clients fails to connect.

Workaround:

  1. Navigate to EDGE > Client configuration > Disable Auto reconnect.
  2. Disable the SSL VPN service.
  3. Enable the SSL VPN service. For more information, see NSX SSL-VPN clients fails to connect (2148389).

Note: Alternatively, do not use the Enable Auto reconnect option for SSL-VPN Clients.

Issue #4:

Symptom: When there are firewall rules defined in the Security Policies through Service Composer, the DFW rules order change unexpectedly when published.

Workaround: Synchronize the Firewall Config through the NSX Security Policy User Interface.

  1. Log in to the vCenter Server using the vSphere Web Client.
  2. Navigate to Networking and Security > Service Composer > Security Policies.
  3. Select the Actions
  4. Select Synchronize Firewall Config. The rules should be corrected in their original order.

Note: To avoid this issue, do not use the Filter in the NSX User Interface (UI) when publishing firewall rules. For more information, see DFW rules change order unexpectedly when published (2146471).

NSX Field Advisory – December 2016 Edition

IMPORTANT NOTE

Subscribe to RSS Feed http://feeds.feedburner.com/NSX for an up-to-date information on new product, patches and fix announcements regarding VMware NSX for vSphere.

Minimum Recommended Release:

Top issues and What to Do:

VMware NSX for vSphere 6.2.4

Issue #1:

TLS v.1.0 has been deprecated in NSX for vSphere 6.2.4. This is the default on the NSX Edge which can break interoperability with back-end servers including VMware vRealize Automation. The Load Balancer must be configured with monitor extension value of ssl-version=10.  For more information, see TLSv1 and SSLv3 support in NSX-V 6.2.4 (2147293).

Issue #2:

After upgrade to NSX for vSphere 6.2.4, service profile with PAN is deleted. PAN v7.1.0 requires “Service Profile Zone for NSX” checkbox to create service profile on NSX.

Note: For more information, contact Palo Alto Networks Support.

Key Points:

 

 

VMware NSX for vSphere 6.1.X, vSphere 6.2.X

Issue #1:

In an environment with multiple VMware vCenter Servers with multiple NSX managers, you experience this symptom:

  • When selecting one or more NSX Manager from the vSphere Web Client > Networking and Security > Installation > Host Preparation, you see this error:

Could not establish communication with NSX Manager. Please contact administrator.

For more information if you are planning to upgrade only one NSX Manager in a vCenter Linked Mode environment, see Upgrading a single NSX Manager in a vCenter Linked Mode Environment (2127061).

Issue #2:

After upgrade of NSX for vSphere 6.1.x to 6.2.4, you see this symptom:

  • NTLM authentication of an application through the NSX Load Balancer fails

For more information if you use the “No” option http-server-close application rule, contact VMware Support. For more information, see How to file a Support Request in My VMware (2006985) and NTLM authentication through the NSX Load Balancer fails after upgrade (2147496).

VMware NSX for vSphere 6.1.X

Issue #1:

Virtual machines lose network connectivity after vMotion under the following conditions:

  • Distributed Firewall (DFW) is enabled in the environment and;
  • NSX for vSphere setup upgraded from NSX-V 6.1.x release to NSX-V 6.2.3 releases and 6.2.4 release and virtual machines are later migrated between upgraded ESXi hosts.
  • When a virtual machine is migrated from an upgraded host to a non-upgraded host.

 

For more information if you are upgrading from NSX for vSphere 6.1.x, see KB Article “Failed to restore PF state : Limit exceeded” error after NSX upgrade (2146171).

NSX for vSphere Field Advisory – October 2016 Edition

For more information, see the NSX for vSphere 6.2.4 Release Notes on all issues listed below.

There is a security vulnerability issue that was found in OpenSSL that is used in VMware NSX for vSphere 6.2.4. For more information, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107.

** Reminder – vShield Endpoint Update **

VMware has announced the End of Availability (EOA) and End of General Support (EOGS) of VMware vCloud Networking and Security 5.5.x. The EOGS date for VMware vCloud Networking and Security 5.5.x is September 19, 2016.  For customers using vCNS Manager specifically to manage vShield Endpoint for agentless anti-virus, Technical Guidance is available until March 31, 2017. For more information, see End of Availability and End of General Support for VMware vCloud Networking and Security 5.5.x (2144733).

Consult the VMware Compatibility Guide for Endpoint partner solution certification status before upgrading. If your preferred solution is not yet certified, please contact that vendor.

Installation and Upgrade Known Issues

Issue 1728633 – Starting in NSX 6.2.3, a third VIB, esx-vdpi, is provided along with the esx-vsip and esx-vxlan NSX VIBs.  A successful installation will include all three VIBs. 

Issue 1730017: Upgrades from 6.2.3 to 6.2.4 do not show a version change for Guest Introspection.

  • As the 6.2.3 Guest Introspection module is the latest version available, the version after a 6.2.4 upgrade remains unchanged. Note that upgrades from earlier NSX releases may show a version change to 6.2.4. This issue does not affect any functionality.

NSX 6.2.4 virtual machines lose network connectivity (2146171)

  • Virtual machines lose network connectivity after vMotion under the following conditions:
    • Distributed Firewall (DFW) is enabled in the environment and;
    • NSX for vSphere setup upgraded from NSX-V 6.1.x release to NSX-V 6.2.3 releases and 6.2.4 release and virtual machines are later migrated between upgraded ESXi hosts.
  • For more information, see KB 2146171 for the workaround.

NSX Manager Known Issues

Fixed issue 1489648: NSX is unavailable from the vSphere Web Client Plug-in after taking a backup of NSX Manager with quiesced snapshot

  • Note following important points about NSX backup and restore:
    • Backup/restore functionality provided by NSX is the only supported way to backup/restore the NSX Manager.
    • Taking a snapshot of the NSX Manager with vSphere is a supported operation. However, VMware does not currently test or support any third party tool that takes snapshot of the NSX Manager.
    • Restoring the NSX Manager from snapshot (taken in any way) is not supported.

See also Issue 1708769 and Increased latency on SVM (Service VM) after snapshot in NSX (2146769). There is no need to snapshot an SVM as it does not need to move or be replicated.

Security Services Known Issues

Issue 1718726: Cannot force-sync Service Composer after a user has manually deleted the Service Composer’s policy section using DFW REST API

  • In a cross-vCenter NSX environment, a user’s attempt to force sync NSX Service Composer configuration will fail if there was only one policy section and that policy section (the Service Composer-managed policy section) was deleted earlier via a REST API call.
  • Workaround: Do not delete the Service Composer-managed policy section via a REST API call. (Note that the UI already prevents deletion of this section).

Issue 1707931: Order of distributed firewall rules changes when service policies defined in Service Composer are present, and a firewall rule is modified or published with a filter applied in the Firewall UI

  • Changing the order, adding or deleting service policies created in Service Composer after one or more publish operations are made from the Networking & Security > Firewall UI will cause the order of firewall rules to change and may result in unintended consequences.

Issue 1717635: Firewall configuration operation fails if more than one cluster is present in environment and changes are done in parallel 

  • In an environment with multiple clusters, if two or more users modify the firewall configuration continuously in a tight loop. (for example, Add/Delete sections or rules), some operations fail.

Issue 1732337/1724222: NSX Manager fails to push firewall rules to ESXi 6.0 P03 host

  • NSX Manager fails to push firewall rules to ESXi 6.0 P03 host, and NSX Edge health check fails as vsfwd connection is closed. This is a known issue affecting VMware NSX for vSphere 6.2.x with ESXi 6.0 P03 (Build 4192238). This issue occurs when /dev/random call is blocked which affects NSX operation on password generation.
  • Workaround: Contact VMware technical support. For more information, see vsfwd connection to the NSX Manager fails (2146873).

Issue 1620460: NSX fails to prevent users from creating rules in Service Composer rules section

  • In the vSphere Web Client, the Networking and Security: Firewall interface fails to prevent users from adding rules to the Service Composer rules section. Users should be permitted to add rules above/below the Service Composer section, but not inside it.
  • Workaround: Do not use the “+” button at the global rule level to add rules to the Service Composer rules section.

Issue 1682552: Threshold events for CPU/Memory/CPS for Distributed Firewall (DFW) are not reported

  • Even when the DFW thresholds for CPU/Memory/CPS are set for reporting, the threshold events are not reported when the thresholds are crossed.
  • Workaround:
    • Log in to each ESXi host and restart the DFW control plane process by running the following command:

/etc/init.d/vShield_Stateful_Firewall restart

  • Verify the status using the following command:

/etc/init.d/vShield_Stateful_Firewall status

  • The result similar to following is displayed:

“vShield-Stateful-Firewall is running”

Note: You should be cautious while performing this operation as this will push all DFW rules to all the filters again. If there are lot of rules, it might take some time to enforce them on all the filters.

Logical Networking Known Issues and NSX Edge Known Issues

Issue 1704540 – High volume of MAC learning table updates with NSX L2 bridge and LACP may lead to out of memory condition

  • When an NSX L2 bridge sees a MAC address on a different uplink, it reports a MAC learning table change to controllers through the netcpa process. Networking environments with LACP will learn the same MAC address on multiple interfaces, resulting in a very high volume of table updates and potentially exhausting the memory needed by the netcpa process to do the reporting.
  • Workaround – Avoid setting a flow-based hashing algorithm on the physical switch when using LACP. Instead, pin MAC addresses to the same uplinks or change the policy to source-MAC.

Issue 1717369 – When configured in HA mode, both active and standby Edge VMs may be deployed on the same host.

  • This issue results from anti-affinity rules not being created and applied on the vSphere hosts automatically during redeploy and upgrade operations.  This issue will not be seen when HA is being enabled on existing Edge.
  • In NSX releases with a fix for this issue, the following is the expected behavior:
    • When vSphere HA is enabled, anti-affinity rules for Edge VMs of an HA pair will be created during redeploy, upgrade.
    • When vSphere HA is disabled, anti-affinity rules for Edge VMs of an HA pair will not be created.

Issue 1716545 – Changing appliance size of Edge does not affect standby Edge’s CPU and Memory reservation

  • Only the first Edge VM created as part of an HA pair is assigned the reservation settings.
  • Workaround: To configure the same CPU/Memory reservation on both Edge VMs:
    1) Use the PUT API https://<NSXManager>/api/4.0/edgePublish/tuningConfiguration to set explicit values for both Edge VMs.
    or
    2) Disable and re-enable Edge HA, which will delete the second Edge VM and redeploy a new one with the default reservations.

Issue 1510724: Default routes do not populate on hosts after creating a new Universal Distributed Logical Router (UDLR)

  • After changing NSX Manager from Standalone to Primary mode for the purpose of configuring Cross-vCenter in NSX for vSphere 6.2.x, you may experience these symptoms:
  • When you create a new UDLR, the default routes are not populated on the host instance.
  • Routes are populated on the UDLR Control VM but not on the host instance.
  • Running the show logical-router host host-ID dlr Edge-ID route command fails to show default routes.
  • Workaround: For information on how to recover from this issue, see Default routes do not populate on the hosts after creating a new UDLR (2145959).

Issue 1733146 – Under certain conditions, creating or modifying LIFs for a Universal DLR fails when no control VM exists

  • This issue is known to manifest under the following conditions:
    1. ECMP with two static default routes.
    2. Static routes with local egress flag.
  • This issue results from a full synchronization being requested instead of a delta update, resulting in the rejection of duplicate entities and a failed operation.
  • See the release notes for a workaround.

NSX Edge Load Balancer accepts only approved ciphers as of 6.2.3. 

  • In earlier releases, customer-defined ciphers are supported for ClientSSL and ServerSSL.
  • NSX 6.2.3 introduced an approved ciphers list:
    • DEFAULT(‘!aNULL:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH’)
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-SHA
    • ECDHE-ECDSA-AES256-SHA
    • ECDH-ECDSA-AES256-SHA
    • ECDH-RSA-AES256-SHA
    • AES256-SHA
    • AES128-SHA
    • DES-CBC3-SHA
  • Note the following expected behaviors:
  1. The cipher value will be reset to “DEFAULT” if the cipher is null, empty, or not in approved ciphers suite.
  2. Ciphers included in the approved ciphers suite are passed to the Edge.
  3. When upgrading from a pre-6.2.3 release, a cipher value which is null/empty or not in approved ciphers suite will be reset to “DEFAULT”.

NSX Controller Issues

Data path issues for VNIs with disconnected NSX Controller (2146973)

  • Symptoms – NSX controller shows as disconnected in the vSphere Web Client, leading to data path issues for VNIs handled by the disconnected controller.
  • This issue occurs because IPSec re-keying is disabled in NSX-V 6.1.5, 6.1.6, 6.2, 6,2,1 and 6.2.2 releases to avoid hitting another known IPSec issue.

General Issues

NSX API now returns XML output by default when Accept header is not provided

Beginning in NSX 6.2.3, if the “Accept:” header is not provided in a REST API call, then the default formatting of NSX API return values is XML. Previously the NSX API returned JSON-formatted output by default. To receive JSON-formatted output, the API user must explicitly set “application/json” in the “Accept:” header when calling the function.

** How to track the top field issues **

VMware NSX for vSphere 6.2.4 now available

VMware has made NSX for vSphere 6.2.4 available for download. NSX 6.2.4 provides critical bug fixes identified in previous releases, and 6.2.4 delivers a security patch for CVE-2016-2079 which is a critical input validation vulnerability for sites that uses NSX SSL VPN.

  • For customers who use SSL VPN, VMware strongly recommends a review of CVE-2016-2079 and an upgrade to NSX 6.2.4.
  • For customers who have installed NSX 6.2.3 or 6.2.3a, VMware recommends installing NSX 6.2.4 to address critical bug fixes.

Caution: Before upgrading, consult the NSX 6.2.4 Release Notes available from the NSX Documentation Center and Recommended minimum version for NSX for vSphere with GID, ESXi, and vCenter Server (2144295).

Critical Alert on 6.2.3 and 6.2.3a for DLR users: For more information, see “Fixed issue 1703913: NSX DLR HA nodes remain in a split-brain state” in the NSX for vSphere 6.2.4 Release Notes and VMware Knowledge Base article NSX 6.2.3 DLR HA nodes remain in a split brain state (2146506). This issue will occur after approximately 24 days of BFD uptime and will continue to reoccur every 24 days.

Customers who are using 6.2.3 or 6.2.3a are strongly advised to review KB 2146506, review how to prevent or remediate the issue, and plan to upgrade to NSX 6.2.4.

vShield Endpoint Update

VMware has announced the End of Availability (EOA) and End of General Support (EOGS) of VMware vCloud Networking and Security 5.5.x. The EOGS date for VMware vCloud Networking and Security 5.5.x is September 19, 2016.  For customers using vCNS Manager specifically to manage vShield Endpoint for agentless anti-virus, Technical Guidance is available until March 31, 2017. For more information, see End of Availability and End of General Support for VMware vCloud Networking and Security 5.5.x (2144733).

For more information on additional partner solution availability, see Implementation of VMware vShield Endpoint beyond vCloud Networking and Security End of Availability (EOA) (2110078).

Note: Consult the VMware Compatibility Guide for Endpoint partner solution certification status before upgrading.  If your preferred solution is not yet certified, contact that vendor.

How to track the top field issues

NSX for vSphere Field Advisory – July 2016 Edition

This blog has been updated to reflect new information as it was provided. Changes are marked with an *.

VMware NSX for vSphere 6.2.3 Update

  • NSX for vSphere 6.2.3 has an issue that can affect both new NSX customers as well as customers upgrading from previous versions of NSX. The NSX for vSphere 6.2.3 release has been pulled from distribution. The current version available is NSX for vSphere 6.2.2, which is the VMware minimum recommended release.  Refer to KB 2144295. VMware is actively working towards releasing the next version to replace NSX for vSphere 6.2.3 *
  • VMware NSX for vSphere version 6.2.3 delivered a security patch to address a known SSL VPN security vulnerability (CVE-2016-2079) . This issue may allow a remote attacker to gain access to sensitive information. Customers who use SSL VPN are strongly advised to review CVE-2016-2079 and contact VMware support to request immediate assistance. For questions or concerns, contact VMware Support. *
  • The next version of NSX for vSphere contains fixes for bugs that have been found in NSX 6.2.3.
  • Customers who have already upgraded to 6.2.3 are advised to review the following  KB articles:
    • VMware knowledge base article 2146227, VMs using Distributed Firewall (DFW) and Security Groups (SG) may experience connectivity issues. A workaround is available*
    • VMware knowledgebase article 2146293, Virtual machines lose network connectivity in NSX 6.2.x. *
    • VMware Knowledgebase article 2146413, VMs lose network connectivity in NSX with DLR HA. *

Critical Alert for Edge DLR users on NSX 6.2.3 and 6.2.3a *

  • NSX 6.2.3 DLR HA nodes remain in a split brain state (2146506) *
    • A new issue has been identified that can cause both primary and secondary HA nodes into an Active State, causing network disruption.
    • This issue will occur after approximately 24 days of BFD uptime and will continue to reoccur every 24 days.
    • Customers who are using NSX-V 6.2.3 or 6.2.3a are strongly advised to review KB 2146506, review how to prevent or remediate the issue and plan to upgrade to the next version of NSX.

For questions or concerns, contact VMware Support. To contact VMware support, see Filing a Support Request in My VMware (2006985) or How to Submit a Support Request.

Top NSX for vSphere issues for July 2016

NSX for vSphere 6.2.3 other new and changed issues

Notes:

  • vCloud Director 8.0.1 is now interop-tested and supported with NSX 6.2.3.  For more information, see the VMware Interoperability Matrix
  • VMware is working actively with anti-virus solution partners to influence completion of their certification testing efforts with both NSX 6.2.2 and 6.2.3.  For more information, see the VMware Compatibility Guide (VCG)

Other trending issues

Known interoperability issues during upgrade to NSX for vSphere 6.2.3

Note: VMware vSphere 6.0 supports VIB downloads over port 443 (instead of port 80). This port is opened and closed dynamically. The intermediate devices between the ESXi hosts and vCenter Server must allow traffic using this port.

How to track Top Field Issues

NSXv License Versions

In NSX 6.2.2 VMware introduced 3 different license editions; Standard, Advanced, and Enterprise. These license editions allow you align NSX with your company’s use case.

Standard Edition: Automates IT workflows, bringing agility to the data center network and reducing network operating costs and complexity.

Advanced Edition: Standard Edition plus a fundamentally more secure data center with micro-segmentation. Helps secure the data center to the highest levels, while automating IT provisioning of security.

Enterprise Edition: Advanced Edition plus networking and security across multiple domains. Enables the data center network to extend across multiple sites and connect to high-throughput physical workloads.

new nsx offerings

If you are an existing NSX customer the upgrade to 6.2.4 will not impact your license type and components you are entitled to.

For vCNS customers you can upgrade to NSX, however when doing so you will get an Endpoint for NSX only license. You can enable the additional features by purchasing the NSX license that fits your business requirements.

installation and upgrade

License Capacity Usage

NSX capacity usage calculation method only reports for clusters prepared and enabled with DFW and VXLAN. CPU count is number of CPUs (sockets) of all prepared hosts. VM count and Concurrent Users is the count of all powered on VMs in the cluster. This VM count does not include system VMs (service VMs, partner VMs, edge appliances etc).

NSX usage is reported correctly under the NSX Manager in NSX vSphere Webclient Plugin. Please note under license management in VC the NSX license will report Usage as ZERO.

nsx usage

vShield Endpoint License in NSX 6.2.4

vShield Endpoint is a component of vCloud Network and Security (vCNS). This component allows you to offload antivirus and anti-malware agent processing to a dedicated secure virtual appliance. With the release of NSX 6.2.4 the default license is NSX for vShield Endpoint allowing you to manage you vShield Endpoint environment with NSX. Customers who purchased vSphere with vShield Endpoint (Essential Plus and above) will be able to download NSX. This means that NSX will appear on the vSphere download site, just like vCNS does today. To ensure customers do not use any other unlicensed NSX features (eg. VXLAN, DFW, Edge services), the license key will have hard enforcement to prevent NSX host preparation and block Edge creation. If you require an evaluation license key, please request this through VMware sales.

 

Log Insight License in NSX 6.2.2 and above

VMware vRealize Log Insight 3.3.2 for NSX provides intelligent log analytics for NSX. Log Insight provides monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis, and alerts. The 3.3.2 version of Log Insight accepts NSX Standard/Advanced/Enterprise edition license keys issued for NSX 6.2.2 and above. This means you will have an enterprise level Log Insight license for very license of NSX.

log analytics for NSX

About the authors:

Top 20 NSX articles for June 2016

Top 20Here is our Top 20 NSX articles list for June 2016. This list is ranked by the number of times a VMware Support Request was resolved by following the steps in a published Knowledge Base article.

  1. NSX is unavailable from the vSphere Web Client Plug-in after taking a backup of NSX Manager with quiesced snapshot
  2. vCenter Server 6.0 restart/reboot results in duplicate VTEPs on VXLAN prepared ESXi hosts
  3. NSX Edge is unmanageable after upgrading to NSX 6.2.3
  4. vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0
  5. vSphere Web Client performance is slow when using NSX Manager
  6. Installing VXLAN Agent fails with ESX Agent Manager displaying the error: Agent VIB module not installed
  7. Troubleshooting vSphere ESX Agent Manager (EAM) with NSX
  8. Oracle connections time out when forwarded through the VMware NSX for vSphere 6.1.x Edge
  9. NSX Controller becomes isolated or disconnects intermittently
  10. Licensing VMware vSphere 5.5.x/6.0.x and VMware NSX for vSphere 6.x
  11. vCenter Server access gets blocked after creating a Deny All rule in NSX Distributed Firewall (DFW)
  12. No Flow Records displayed in NSX Manager flow monitoring
  13. VMware NSX Manager virtual appliance installation fails with the error: Operation timed out
  14. Registering NSX Manager to Lookup Service with External Platform Service Controller (PSC) fails with the error: server certificate chain not verified
  15. In VMware NSX for vSphere 6.x, modifying an NSX Transport zone through the vSphere Web Client (add/edit/delete/connect/disconnect) fails with the error: Internal server error has occurred
  16. When adding a previously provisioned ESXi host to a cluster in VMware NSX for vSphere 6.1.x, the cluster status for VXLAN displays an error: Error Unconfigure
  17. Migration of Service VM (SVM) may cause ESXi host issues in VMware NSX for vSphere 6.x
  18. NSX User Interface (UI) is grayed out for several seconds and exhibits slow performance on NSX for vSphere 6.2.0
  19. Slow VMs after upgrading VMware tools in NSX / vCloud Networking and Security
  20. NSX Edge logs show Memory Overloaded warnings

NSX for vSphere Field Advisory – June 2016 Edition

End of General Support for VMware NSX for vSphere 6.1.x has been extended by 3 months to January 15th, 2017. This is to allow customers to have time to upgrade from NSX for vSphere 6.1.7, which contains an important security patch improving input validation of the system, to the latest 6.2.x release. For recommended upgrade paths, refer to the latest NSX for vSphere 6.2 Release Notes and the VMware Interoperability Matrix.
Migration of Service VM (SVM) may cause ESXi host issues in VMware NSX for vSphere 6.x (2141410). See also the CAUTION statement in the 6.2.3 Administration Guide.

Do not migrate the Service VM (SVM) manually (vMotion/SvMotion) to another ESXi host in the cluster.
The latest versions of vSphere 5.5 and 6.0 inhibit vMotion migration. However, storage vMotion is not blocked, and such movement may lead to unpredictable results on the destination host.

vCenter Server 6.0 restart/reboot results in duplicate VTEPs on VXLAN prepared ESXi hosts (2144605). The NSX-side update to protect against this issue is available in 6.2.3. This issue will be resolved fully in a future version of vCenter.

Top Issues:

Important new and changed KBs with NSX for vSphere 6.2.3. For more information, see Troubleshooting VMware NSX for vSphere 6.x (2122691).

Important new and changed documentation with NSX for vSphere 6.2.3 – see the NSX Documentation Center

How to track the top field issues

New and updated KB articles for NSX for vSphere 6.2.3

NSXWe’ve just released the bits for NSX for vSphere 6.2.3 and thought all of your making the upgrade would want to be on top of all the ins and outs of this release.

Here is a list of new and/or updated articles in our Knowledgebase:
NSX for vSphere 6.2.3   |   Released 09 June 2016   |   Build 3979471

Of course, do not miss the release notes, which can be found here: NSX for vSphere 6.2.3 Release Notes