NSX: Using the DFW then don’t upgrade to 6.2.3

If you are using the DFW which at a guess I would suggest most NSX customers are then please read the following KB closely before upgrading to 6.2.3.

VMware’s current advice is not to upgrade if you are using the DFW due to an issue with with new Global Address Set optimization feature introduced in 6.2.3

Symptoms

After upgrading to NSX for vSphere 6.2.3 with Distributed Firewall (DFW) and Security Groups (SG) configured, you experience these symptoms:

  • Traffic disruption may be encountered upon a vMotion operation on compute virtual machines followed by changes to configuration of the Global Address Sets in the SG referenced for that virtual machine

Cause

In NSX-V 6.2.3, a new Global Address set (Addrset) is introduced as an optimization feature. Any virtual machines that are created on NSX-V 6.2.3 would be using the Shared Global Addrset and would refer to the new Global Addrset.

After upgrading to NSX for vSphere 6.2.3, when virtual machines that were part of a SG that was created in NSX-V 6.2.3 and earlier version are migrated to another host running NSX-V 6.2.3, would continue to refer to the old local copy of Addrsets and ignore new updates in the Global Addrsets.

Resolution

This is a known issue affecting VMware NSX for vSphere 6.2.3.

Currently, there is no resolution.

To work around this issue:

If you have already upgraded to NSX for vSphere 6.2.3

  1. Disable vMotion on the VMK interface on all hosts in the compute cluster.
  2. If your Default_Rule rule is set to DENY, change it to ALLOW.
  3. Disable Distributed Firewall (DFW), per cluster, one at a time.
  4. Wait 15 minutes between each cluster change.
  5. Enable Distributed Firewall (DFW), per cluster, one cluster at a time.
  6. Wait for all applications to recover. (Note: This process is application dependent and can take some time to recover).
  7. Change the Default_Rule rule to DENY.

If you have not yet upgraded to NSX for vSphere 6.2.3

VMware recommends to not upgrade to this version if you are using the Distributed Firewall (DFW) feature.

Source: VMware KB 2146227

 

 

NSX IS-IS Routing Protocol Support

Something that finally got cleared up at last is the deprecation of the IS-IS routing protocol from NSX. It has always been a bit of a confusing issue is it supported is it not ?

Well its been in the UI and the manual for a while however it was always my understanding that eventually this would be removed and from 6.2.3 this is now finally the case and should help clarify our position on using this protocol.

http://pubs.vmware.com/Release_Notes/en/nsx/6.2.3/releasenotes_nsx_vsphere_623.html

Deprecated and Discontinued Functionality

IS-IS is not a supported routing protocol for the Edge Services Gateway router

It will be removed from the UI and APIs in a future release. (Issue 1498251)