Home > Blogs > Support Insider > Tag Archives: NSX

Tag Archives: NSX

NSX Field Advisory – January 2017 Edition

Important Note

Subscribe to RSS Feed http://feeds.feedburner.com/NSX for up-to-date information on new products, patches, and fix announcements for VMware NSX for vSphere.

Minimum Recommended Release

NSX for vSphere 6.2.2 and vSphere 6.0 Update 2 remains the recommended release combination. For more information, see Minimum recommended version for NSX for vSphere with GID, ESXi and vCenter Server (2144295).

GA Announcement

VMware NSX for vSphere 6.2.5 is now available for download.

Fixed issues in NSX for vSphere 6.2.5

For additional information, see the Resolved Issues section of the NSX for vSphere 6.2.5 Release Notes.

Top issues and What to do

VMware NSX for vSphere 6.1.x

Issue #1:

As of June 9, 2016 with the release of NSX for vSphere 6.1.7, the EOGS date has been extended by 3 months, to January 15th, 2017 in support of all NSX for vSphere 6.1.x versions. This is to allow customers to have time to upgrade from NSX for vSphere 6.1.7, which contains an important security patch improving input validation of the system, to the latest 6.2.x release. For recommended upgrade paths, refer to the latest NSX for vSphere 6.2 Release Notes and the VMware Interoperability Matrix. For more information, see End of General Support: VMware NSX for vSphere 6.1.x (2144769).

Issue #2:

At the moment, NO versions of NSX for vSphere 6.x are compatible with vSphere 6.5. For an up-to-date information, see the VMware Interoperability Matrix. Also, see Update sequence for vSphere 6.5 and its compatible VMware products (2147289)

NSX for vSphere 6.2.4

Issue #1:

Symptom: High volume of MAC learning table updates with NSX L2 Bridge and LACP may lead to out of memory condition.

Workaround: Avoid setting a flow-based hashing algorithm on the physical switch when using LACP. Instead, pin MAC addresses to the same uplinks or change the policy to source-MAC. For more information, see Netcpa stops running on an ESXi host that runs a Bridging DLR VM (2147181).

Issue #2:

Symptom: Attempts to edit interfaces of vCNS or vShield 5.5.x Edges fails on NSX 6.1.5 and later releases.

Workaround: If you encounter this issue, file a support request with VMware Support and quote this Knowledge Base article ID (2148444) in the problem description. For more information, see:

Issue #3:

Symptom: NSX SSL-VPN clients fails to connect.

Workaround:

  1. Navigate to EDGE > Client configuration > Disable Auto reconnect.
  2. Disable the SSL VPN service.
  3. Enable the SSL VPN service. For more information, see NSX SSL-VPN clients fails to connect (2148389).

Note: Alternatively, do not use the Enable Auto reconnect option for SSL-VPN Clients.

Issue #4:

Symptom: When there are firewall rules defined in the Security Policies through Service Composer, the DFW rules order change unexpectedly when published.

Workaround: Synchronize the Firewall Config through the NSX Security Policy User Interface.

  1. Log in to the vCenter Server using the vSphere Web Client.
  2. Navigate to Networking and Security > Service Composer > Security Policies.
  3. Select the Actions
  4. Select Synchronize Firewall Config. The rules should be corrected in their original order.

Note: To avoid this issue, do not use the Filter in the NSX User Interface (UI) when publishing firewall rules. For more information, see DFW rules change order unexpectedly when published (2146471).

Top 20 NSX articles for November 2016

Top 20Here is our Top 20 NSX articles list for November 2016. This list is ranked by the number of times a VMware Support Request was resolved by following the steps in a published Knowledge Base article.

  1. “The pending transaction requires xxx MB free space” error when installing VIBs
  2. Downloading and enabling VMware vShield Endpoint 5.x on supported VMware vSphere platforms
  3. Update sequence for vSphere 6.5 and its compatible VMware products
  4. Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products
  5. “Agent VIB module not installed” when installing VXLAN Agent using VUM
  6. Licensing NSX for vSphere 6.x
  7. vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0
  8. Important information before upgrading to vSphere 6.0
  9. Troubleshooting NSX for vSphere 6.x Distributed Firewall (DFW)
  10. Troubleshooting NSX Edge High Availability (HA) issues
  11. Data path issues for VNIs with disconnected NSX Controller
  12. Collecting diagnostic information for VMware NSX for vSphere 6.x
  13. Network Port requirements for VMware NSX for vSphere 6.x
  14. Changing the VXLAN teaming policy and MTU settings in VMware vCloud Networking and Security 5.5.x and NSX for vSphere 6.x
  15. Adding Chained Certificates to VMware NSX for vSphere 6.x Edge
  16. Windows virtual machines using the vShield Endpoint TDI Manager or NSX Network Introspection Driver (vnetflt.sys) driver fails with a blue diagnostic screen
  17. NSX Controller disconnected or isolates intermittently
  18. Understanding and troubleshooting Message Bus in VMware NSX for vSphere 6.x
  19. Internal server error when modifying an NSX Transport zone
  20. Licensing VMware vSphere 5.5.x/6.0.x and VMware NSX for vSphere 6.x

NSX Field Advisory – December 2016 Edition

IMPORTANT NOTE

Subscribe to RSS Feed http://feeds.feedburner.com/NSX for an up-to-date information on new product, patches and fix announcements regarding VMware NSX for vSphere.

Minimum Recommended Release:

Top issues and What to Do:

VMware NSX for vSphere 6.2.4

Issue #1:

TLS v.1.0 has been deprecated in NSX for vSphere 6.2.4. This is the default on the NSX Edge which can break interoperability with back-end servers including VMware vRealize Automation. The Load Balancer must be configured with monitor extension value of ssl-version=10.  For more information, see TLSv1 and SSLv3 support in NSX-V 6.2.4 (2147293).

Issue #2:

After upgrade to NSX for vSphere 6.2.4, service profile with PAN is deleted. PAN v7.1.0 requires “Service Profile Zone for NSX” checkbox to create service profile on NSX.

Note: For more information, contact Palo Alto Networks Support.

Key Points:

 

 

VMware NSX for vSphere 6.1.X, vSphere 6.2.X

Issue #1:

In an environment with multiple VMware vCenter Servers with multiple NSX managers, you experience this symptom:

  • When selecting one or more NSX Manager from the vSphere Web Client > Networking and Security > Installation > Host Preparation, you see this error:

Could not establish communication with NSX Manager. Please contact administrator.

For more information if you are planning to upgrade only one NSX Manager in a vCenter Linked Mode environment, see Upgrading a single NSX Manager in a vCenter Linked Mode Environment (2127061).

Issue #2:

After upgrade of NSX for vSphere 6.1.x to 6.2.4, you see this symptom:

  • NTLM authentication of an application through the NSX Load Balancer fails

For more information if you use the “No” option http-server-close application rule, contact VMware Support. For more information, see How to file a Support Request in My VMware (2006985) and NTLM authentication through the NSX Load Balancer fails after upgrade (2147496).

VMware NSX for vSphere 6.1.X

Issue #1:

Virtual machines lose network connectivity after vMotion under the following conditions:

  • Distributed Firewall (DFW) is enabled in the environment and;
  • NSX for vSphere setup upgraded from NSX-V 6.1.x release to NSX-V 6.2.3 releases and 6.2.4 release and virtual machines are later migrated between upgraded ESXi hosts.
  • When a virtual machine is migrated from an upgraded host to a non-upgraded host.

 

For more information if you are upgrading from NSX for vSphere 6.1.x, see KB Article “Failed to restore PF state : Limit exceeded” error after NSX upgrade (2146171).

Top 20 NSX articles for October 2016

Top 20Here is our Top 20 NSX articles list for October 2016. This list is ranked by the number of times a VMware Support Request was resolved by following the steps in a published Knowledge Base article.

  1. vsfwd connection to the NSX Manager fails
  2. vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0
  3. “The pending transaction requires xxx MB free space” error when installing VIBs
  4. vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller
  5. Upgrading VMware vCNS 5.5.x to NSX 6.2.x
  6. Important information before upgrading to vSphere 6.0
  7. Installing VXLAN Agent fails with ESX Agent Manager displaying the error: Agent VIB module not installed
  8. Collecting diagnostic information for VMware NSX for vSphere 6.x
  9. Troubleshooting vShield Endpoint / NSX Guest Introspection
  10. Network connectivity issues after upgrade in NSX/VCNS environment
  11. Changing the VMware NSX for vSphere 6.x License from virtual machine to CPU
  12. Windows virtual machines using the vShield Endpoint TDI Manager or NSX Network Introspection Driver (vnetflt.sys) driver fails with a blue diagnostic screen
  13. Troubleshooting IPSec VPN in NSX for vSphere 6.x
  14. Troubleshooting NSX for vSphere 6.x Distributed Firewall (DFW)
  15. Licensing VMware vSphere 5.5.x/6.0.x and VMware NSX for vSphere 6.x
  16. NSX is unavailable from the vSphere Web Client Plug-in
  17. vCNS to NSX upgrade Fails
  18. DHCP relay agents do not function in NSX
  19. Build number on the VMware vCenter Server Summary tab does not update after adding a patch to VMware vShield Manager/NSX Manager
  20. Management Interface Guide: DLR Control VM – NSX

NSX for vSphere Field Advisory – October 2016 Edition

For more information, see the NSX for vSphere 6.2.4 Release Notes on all issues listed below.

There is a security vulnerability issue that was found in OpenSSL that is used in VMware NSX for vSphere 6.2.4. For more information, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107.

** Reminder – vShield Endpoint Update **

VMware has announced the End of Availability (EOA) and End of General Support (EOGS) of VMware vCloud Networking and Security 5.5.x. The EOGS date for VMware vCloud Networking and Security 5.5.x is September 19, 2016.  For customers using vCNS Manager specifically to manage vShield Endpoint for agentless anti-virus, Technical Guidance is available until March 31, 2017. For more information, see End of Availability and End of General Support for VMware vCloud Networking and Security 5.5.x (2144733).

Consult the VMware Compatibility Guide for Endpoint partner solution certification status before upgrading. If your preferred solution is not yet certified, please contact that vendor.

Installation and Upgrade Known Issues

Issue 1728633 – Starting in NSX 6.2.3, a third VIB, esx-vdpi, is provided along with the esx-vsip and esx-vxlan NSX VIBs.  A successful installation will include all three VIBs. 

Issue 1730017: Upgrades from 6.2.3 to 6.2.4 do not show a version change for Guest Introspection.

  • As the 6.2.3 Guest Introspection module is the latest version available, the version after a 6.2.4 upgrade remains unchanged. Note that upgrades from earlier NSX releases may show a version change to 6.2.4. This issue does not affect any functionality.

NSX 6.2.4 virtual machines lose network connectivity (2146171)

  • Virtual machines lose network connectivity after vMotion under the following conditions:
    • Distributed Firewall (DFW) is enabled in the environment and;
    • NSX for vSphere setup upgraded from NSX-V 6.1.x release to NSX-V 6.2.3 releases and 6.2.4 release and virtual machines are later migrated between upgraded ESXi hosts.
  • For more information, see KB 2146171 for the workaround.

NSX Manager Known Issues

Fixed issue 1489648: NSX is unavailable from the vSphere Web Client Plug-in after taking a backup of NSX Manager with quiesced snapshot

  • Note following important points about NSX backup and restore:
    • Backup/restore functionality provided by NSX is the only supported way to backup/restore the NSX Manager.
    • Taking a snapshot of the NSX Manager with vSphere is a supported operation. However, VMware does not currently test or support any third party tool that takes snapshot of the NSX Manager.
    • Restoring the NSX Manager from snapshot (taken in any way) is not supported.

See also Issue 1708769 and Increased latency on SVM (Service VM) after snapshot in NSX (2146769). There is no need to snapshot an SVM as it does not need to move or be replicated.

Security Services Known Issues

Issue 1718726: Cannot force-sync Service Composer after a user has manually deleted the Service Composer’s policy section using DFW REST API

  • In a cross-vCenter NSX environment, a user’s attempt to force sync NSX Service Composer configuration will fail if there was only one policy section and that policy section (the Service Composer-managed policy section) was deleted earlier via a REST API call.
  • Workaround: Do not delete the Service Composer-managed policy section via a REST API call. (Note that the UI already prevents deletion of this section).

Issue 1707931: Order of distributed firewall rules changes when service policies defined in Service Composer are present, and a firewall rule is modified or published with a filter applied in the Firewall UI

  • Changing the order, adding or deleting service policies created in Service Composer after one or more publish operations are made from the Networking & Security > Firewall UI will cause the order of firewall rules to change and may result in unintended consequences.

Issue 1717635: Firewall configuration operation fails if more than one cluster is present in environment and changes are done in parallel 

  • In an environment with multiple clusters, if two or more users modify the firewall configuration continuously in a tight loop. (for example, Add/Delete sections or rules), some operations fail.

Issue 1732337/1724222: NSX Manager fails to push firewall rules to ESXi 6.0 P03 host

  • NSX Manager fails to push firewall rules to ESXi 6.0 P03 host, and NSX Edge health check fails as vsfwd connection is closed. This is a known issue affecting VMware NSX for vSphere 6.2.x with ESXi 6.0 P03 (Build 4192238). This issue occurs when /dev/random call is blocked which affects NSX operation on password generation.
  • Workaround: Contact VMware technical support. For more information, see vsfwd connection to the NSX Manager fails (2146873).

Issue 1620460: NSX fails to prevent users from creating rules in Service Composer rules section

  • In the vSphere Web Client, the Networking and Security: Firewall interface fails to prevent users from adding rules to the Service Composer rules section. Users should be permitted to add rules above/below the Service Composer section, but not inside it.
  • Workaround: Do not use the “+” button at the global rule level to add rules to the Service Composer rules section.

Issue 1682552: Threshold events for CPU/Memory/CPS for Distributed Firewall (DFW) are not reported

  • Even when the DFW thresholds for CPU/Memory/CPS are set for reporting, the threshold events are not reported when the thresholds are crossed.
  • Workaround:
    • Log in to each ESXi host and restart the DFW control plane process by running the following command:

/etc/init.d/vShield_Stateful_Firewall restart

  • Verify the status using the following command:

/etc/init.d/vShield_Stateful_Firewall status

  • The result similar to following is displayed:

“vShield-Stateful-Firewall is running”

Note: You should be cautious while performing this operation as this will push all DFW rules to all the filters again. If there are lot of rules, it might take some time to enforce them on all the filters.

Logical Networking Known Issues and NSX Edge Known Issues

Issue 1704540 – High volume of MAC learning table updates with NSX L2 bridge and LACP may lead to out of memory condition

  • When an NSX L2 bridge sees a MAC address on a different uplink, it reports a MAC learning table change to controllers through the netcpa process. Networking environments with LACP will learn the same MAC address on multiple interfaces, resulting in a very high volume of table updates and potentially exhausting the memory needed by the netcpa process to do the reporting.
  • Workaround – Avoid setting a flow-based hashing algorithm on the physical switch when using LACP. Instead, pin MAC addresses to the same uplinks or change the policy to source-MAC.

Issue 1717369 – When configured in HA mode, both active and standby Edge VMs may be deployed on the same host.

  • This issue results from anti-affinity rules not being created and applied on the vSphere hosts automatically during redeploy and upgrade operations.  This issue will not be seen when HA is being enabled on existing Edge.
  • In NSX releases with a fix for this issue, the following is the expected behavior:
    • When vSphere HA is enabled, anti-affinity rules for Edge VMs of an HA pair will be created during redeploy, upgrade.
    • When vSphere HA is disabled, anti-affinity rules for Edge VMs of an HA pair will not be created.

Issue 1716545 – Changing appliance size of Edge does not affect standby Edge’s CPU and Memory reservation

  • Only the first Edge VM created as part of an HA pair is assigned the reservation settings.
  • Workaround: To configure the same CPU/Memory reservation on both Edge VMs:
    1) Use the PUT API https://<NSXManager>/api/4.0/edgePublish/tuningConfiguration to set explicit values for both Edge VMs.
    or
    2) Disable and re-enable Edge HA, which will delete the second Edge VM and redeploy a new one with the default reservations.

Issue 1510724: Default routes do not populate on hosts after creating a new Universal Distributed Logical Router (UDLR)

  • After changing NSX Manager from Standalone to Primary mode for the purpose of configuring Cross-vCenter in NSX for vSphere 6.2.x, you may experience these symptoms:
  • When you create a new UDLR, the default routes are not populated on the host instance.
  • Routes are populated on the UDLR Control VM but not on the host instance.
  • Running the show logical-router host host-ID dlr Edge-ID route command fails to show default routes.
  • Workaround: For information on how to recover from this issue, see Default routes do not populate on the hosts after creating a new UDLR (2145959).

Issue 1733146 – Under certain conditions, creating or modifying LIFs for a Universal DLR fails when no control VM exists

  • This issue is known to manifest under the following conditions:
    1. ECMP with two static default routes.
    2. Static routes with local egress flag.
  • This issue results from a full synchronization being requested instead of a delta update, resulting in the rejection of duplicate entities and a failed operation.
  • See the release notes for a workaround.

NSX Edge Load Balancer accepts only approved ciphers as of 6.2.3. 

  • In earlier releases, customer-defined ciphers are supported for ClientSSL and ServerSSL.
  • NSX 6.2.3 introduced an approved ciphers list:
    • DEFAULT(‘!aNULL:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH’)
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-SHA
    • ECDHE-ECDSA-AES256-SHA
    • ECDH-ECDSA-AES256-SHA
    • ECDH-RSA-AES256-SHA
    • AES256-SHA
    • AES128-SHA
    • DES-CBC3-SHA
  • Note the following expected behaviors:
  1. The cipher value will be reset to “DEFAULT” if the cipher is null, empty, or not in approved ciphers suite.
  2. Ciphers included in the approved ciphers suite are passed to the Edge.
  3. When upgrading from a pre-6.2.3 release, a cipher value which is null/empty or not in approved ciphers suite will be reset to “DEFAULT”.

NSX Controller Issues

Data path issues for VNIs with disconnected NSX Controller (2146973)

  • Symptoms – NSX controller shows as disconnected in the vSphere Web Client, leading to data path issues for VNIs handled by the disconnected controller.
  • This issue occurs because IPSec re-keying is disabled in NSX-V 6.1.5, 6.1.6, 6.2, 6,2,1 and 6.2.2 releases to avoid hitting another known IPSec issue.

General Issues

NSX API now returns XML output by default when Accept header is not provided

Beginning in NSX 6.2.3, if the “Accept:” header is not provided in a REST API call, then the default formatting of NSX API return values is XML. Previously the NSX API returned JSON-formatted output by default. To receive JSON-formatted output, the API user must explicitly set “application/json” in the “Accept:” header when calling the function.

** How to track the top field issues **

Top 20 NSX articles for September 2016

Top 20Here is our Top 20 NSX articles list for September 2016. This list is ranked by the number of times a VMware Support Request was resolved by following the steps in a published Knowledge Base article.

  1. Split-brain scenario on NSX/vShield Edge configured for High Availability (HA)
  2. Windows virtual machines using the vShield Endpoint TDI Manager or NSX Network Introspection Driver (vnetflt.sys) driver fails with a blue diagnostic screen
  3. Troubleshooting the NSX Manager Web Client Plug-In in NSX for vSphere 6.x
  4. Licensing VMware vSphere 5.5.x/6.0.x and VMware NSX for vSphere 6.x
  5. Netcpa issues in VMware NSX for vSphere 6.x
  6. The netcpa agent on an ESXi host fails to communicate with NSX controller(s) in VMware NSX for vSphere 6.x
  7. NSX is unavailable from the vSphere Web Client Plug-in
  8. Build numbers and versions of VMware NSX for vSphere
  9. vCenter Server access is blocked after creating a Deny All rule in DFW
  10. A virtual machine loses network connectivity during migration between resource pools, clusters or vApps in vCloud Networking and Security 5.1.4, 5.5.2 and NSX for vSphere 6.0.4
  11. VMware Virtual Appliances and customizations to operating system and included packages
  12. VMware NSX controller deployment fails with the error Timeout on waiting for controller ready
  13. Changing the VMware NSX for vSphere 6.x License from virtual machine to CPU
  14. After upgrading to VMware ESXi 5.5 Patch Release ESXi550-201504002, virtual machines using VMware NSX for vSphere 6.x or Cisco Nexus 1000v are unable to communicate across hosts
  15. Troubleshooting VMware NSX for vSphere 6.x
  16. Troubleshooting VMware NSX Manager
  17. Troubleshooting NSX Edge High Availability (HA) issues
  18. Environment with more than one NSX Manager visible on the vSphere Web Client on the Host Preparation page in VMware NSX for vSphere 6.x
  19. Reverse Path Forwarding in NSX 6.x and vCNS 5.x Edge
  20. The uplink port name information is missing from tables after upgrading from VMware vCloud Networking and Security 5.x to VMware NSx for vSphere 6.2

VMware NSX for vSphere 6.2.4 now available

VMware has made NSX for vSphere 6.2.4 available for download. NSX 6.2.4 provides critical bug fixes identified in previous releases, and 6.2.4 delivers a security patch for CVE-2016-2079 which is a critical input validation vulnerability for sites that uses NSX SSL VPN.

  • For customers who use SSL VPN, VMware strongly recommends a review of CVE-2016-2079 and an upgrade to NSX 6.2.4.
  • For customers who have installed NSX 6.2.3 or 6.2.3a, VMware recommends installing NSX 6.2.4 to address critical bug fixes.

Caution: Before upgrading, consult the NSX 6.2.4 Release Notes available from the NSX Documentation Center and Recommended minimum version for NSX for vSphere with GID, ESXi, and vCenter Server (2144295).

Critical Alert on 6.2.3 and 6.2.3a for DLR users: For more information, see “Fixed issue 1703913: NSX DLR HA nodes remain in a split-brain state” in the NSX for vSphere 6.2.4 Release Notes and VMware Knowledge Base article NSX 6.2.3 DLR HA nodes remain in a split brain state (2146506). This issue will occur after approximately 24 days of BFD uptime and will continue to reoccur every 24 days.

Customers who are using 6.2.3 or 6.2.3a are strongly advised to review KB 2146506, review how to prevent or remediate the issue, and plan to upgrade to NSX 6.2.4.

vShield Endpoint Update

VMware has announced the End of Availability (EOA) and End of General Support (EOGS) of VMware vCloud Networking and Security 5.5.x. The EOGS date for VMware vCloud Networking and Security 5.5.x is September 19, 2016.  For customers using vCNS Manager specifically to manage vShield Endpoint for agentless anti-virus, Technical Guidance is available until March 31, 2017. For more information, see End of Availability and End of General Support for VMware vCloud Networking and Security 5.5.x (2144733).

For more information on additional partner solution availability, see Implementation of VMware vShield Endpoint beyond vCloud Networking and Security End of Availability (EOA) (2110078).

Note: Consult the VMware Compatibility Guide for Endpoint partner solution certification status before upgrading.  If your preferred solution is not yet certified, contact that vendor.

How to track the top field issues

NSX for vSphere Field Advisory – July 2016 Edition

This blog has been updated to reflect new information as it was provided. Changes are marked with an *.

VMware NSX for vSphere 6.2.3 Update

  • NSX for vSphere 6.2.3 has an issue that can affect both new NSX customers as well as customers upgrading from previous versions of NSX. The NSX for vSphere 6.2.3 release has been pulled from distribution. The current version available is NSX for vSphere 6.2.2, which is the VMware minimum recommended release.  Refer to KB 2144295. VMware is actively working towards releasing the next version to replace NSX for vSphere 6.2.3 *
  • VMware NSX for vSphere version 6.2.3 delivered a security patch to address a known SSL VPN security vulnerability (CVE-2016-2079) . This issue may allow a remote attacker to gain access to sensitive information. Customers who use SSL VPN are strongly advised to review CVE-2016-2079 and contact VMware support to request immediate assistance. For questions or concerns, contact VMware Support. *
  • The next version of NSX for vSphere contains fixes for bugs that have been found in NSX 6.2.3.
  • Customers who have already upgraded to 6.2.3 are advised to review the following  KB articles:
    • VMware knowledge base article 2146227, VMs using Distributed Firewall (DFW) and Security Groups (SG) may experience connectivity issues. A workaround is available*
    • VMware knowledgebase article 2146293, Virtual machines lose network connectivity in NSX 6.2.x. *
    • VMware Knowledgebase article 2146413, VMs lose network connectivity in NSX with DLR HA. *

Critical Alert for Edge DLR users on NSX 6.2.3 and 6.2.3a *

  • NSX 6.2.3 DLR HA nodes remain in a split brain state (2146506) *
    • A new issue has been identified that can cause both primary and secondary HA nodes into an Active State, causing network disruption.
    • This issue will occur after approximately 24 days of BFD uptime and will continue to reoccur every 24 days.
    • Customers who are using NSX-V 6.2.3 or 6.2.3a are strongly advised to review KB 2146506, review how to prevent or remediate the issue and plan to upgrade to the next version of NSX.

For questions or concerns, contact VMware Support. To contact VMware support, see Filing a Support Request in My VMware (2006985) or How to Submit a Support Request.

Top NSX for vSphere issues for July 2016

NSX for vSphere 6.2.3 other new and changed issues

Notes:

  • vCloud Director 8.0.1 is now interop-tested and supported with NSX 6.2.3.  For more information, see the VMware Interoperability Matrix
  • VMware is working actively with anti-virus solution partners to influence completion of their certification testing efforts with both NSX 6.2.2 and 6.2.3.  For more information, see the VMware Compatibility Guide (VCG)

Other trending issues

Known interoperability issues during upgrade to NSX for vSphere 6.2.3

Note: VMware vSphere 6.0 supports VIB downloads over port 443 (instead of port 80). This port is opened and closed dynamically. The intermediate devices between the ESXi hosts and vCenter Server must allow traffic using this port.

How to track Top Field Issues

Top 20 NSX articles for July 2016

Top 20Here is our Top 20 NSX articles list for July 2016. This list is ranked by the number of times a VMware Support Request was resolved by following the steps in a published Knowledge Base article.

  1. vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0
  2. Licensing VMware vSphere 5.5.x/6.0.x and VMware NSX for vSphere 6.x
  3. Deploying VMware NSX for vSphere 6.x through Auto Deploy
  4. vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller
  5. Troubleshooting NSX Edge High Availability (HA) issues
  6. Slow VMs after upgrading VMware tools in NSX / vCloud Networking and Security
  7. ESXi host fails with purple diagnostic screen in NSX environment
  8. VMs learning the DLR pMac as the VM default gateway
  9. TCP and UDP Ports required to access VMware vCenter Server, VMware ESXi and ESX hosts, and other network components
  10. Windows virtual machines using the vShield Endpoint TDI Manager or NSX Network Introspection Driver (vnetflt.sys) driver fails with a blue diagnostic screen
  11. vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller
  12. Troubleshooting the NSX Manager Web Client Plug-In in NSX for vSphere 6.x
  13. The netcpa agent on an ESXi host fails to communicate with NSX controller(s) in VMware NSX for vSphere 6.x
  14. Migration of Service VM (SVM) may cause ESXi host issues in VMware NSX for vSphere 6.x
  15. ESXi 5.5.x/6.0.x host in a VMware NSX for vSphere 6.2.1 environment fails with a purple diagnostic screen and reports the backtrace: PFFilterPacket and VSIPDVFProcessSlowPathPackets
  16. Duplicate VTEPs in ESXi hosts after rebooting vCenter Server
  17. Networking & Security pages are blank in vSphere Web Client after a downgrade or backed-out upgrade of NSX Manager
  18. Unexpected TCP interruption on TCP sessions during Edge High Availability (HA) failover in VMware NSX for vSphere 6.2.x
  19. NSX Edge is unmanageable after upgrading to NSX 6.2.3
  20. Installation Status appears as Not Ready in NSX

NSXv License Versions

In NSX 6.2.2 VMware introduced 3 different license editions; Standard, Advanced, and Enterprise. These license editions allow you align NSX with your company’s use case.

Standard Edition: Automates IT workflows, bringing agility to the data center network and reducing network operating costs and complexity.

Advanced Edition: Standard Edition plus a fundamentally more secure data center with micro-segmentation. Helps secure the data center to the highest levels, while automating IT provisioning of security.

Enterprise Edition: Advanced Edition plus networking and security across multiple domains. Enables the data center network to extend across multiple sites and connect to high-throughput physical workloads.

new nsx offerings

If you are an existing NSX customer the upgrade to 6.2.4 will not impact your license type and components you are entitled to.

For vCNS customers you can upgrade to NSX, however when doing so you will get an Endpoint for NSX only license. You can enable the additional features by purchasing the NSX license that fits your business requirements.

installation and upgrade

License Capacity Usage

NSX capacity usage calculation method only reports for clusters prepared and enabled with DFW and VXLAN. CPU count is number of CPUs (sockets) of all prepared hosts. VM count and Concurrent Users is the count of all powered on VMs in the cluster. This VM count does not include system VMs (service VMs, partner VMs, edge appliances etc).

NSX usage is reported correctly under the NSX Manager in NSX vSphere Webclient Plugin. Please note under license management in VC the NSX license will report Usage as ZERO.

nsx usage

vShield Endpoint License in NSX 6.2.4

vShield Endpoint is a component of vCloud Network and Security (vCNS). This component allows you to offload antivirus and anti-malware agent processing to a dedicated secure virtual appliance. With the release of NSX 6.2.4 the default license is NSX for vShield Endpoint allowing you to manage you vShield Endpoint environment with NSX. Customers who purchased vSphere with vShield Endpoint (Essential Plus and above) will be able to download NSX. This means that NSX will appear on the vSphere download site, just like vCNS does today. To ensure customers do not use any other unlicensed NSX features (eg. VXLAN, DFW, Edge services), the license key will have hard enforcement to prevent NSX host preparation and block Edge creation. If you require an evaluation license key, please request this through VMware sales.

 

Log Insight License in NSX 6.2.2 and above

VMware vRealize Log Insight 3.3.2 for NSX provides intelligent log analytics for NSX. Log Insight provides monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis, and alerts. The 3.3.2 version of Log Insight accepts NSX Standard/Advanced/Enterprise edition license keys issued for NSX 6.2.2 and above. This means you will have an enterprise level Log Insight license for very license of NSX.

log analytics for NSX

About the authors: