If you are using the DFW which at a guess I would suggest most NSX customers are then please read the following KB closely before upgrading to 6.2.3.
VMware’s current advice is not to upgrade if you are using the DFW due to an issue with with new Global Address Set optimization feature introduced in 6.2.3
- Traffic disruption may be encountered upon a vMotion operation on compute virtual machines followed by changes to configuration of the Global Address Sets in the SG referenced for that virtual machine
After upgrading to NSX for vSphere 6.2.3, when virtual machines that were part of a SG that was created in NSX-V 6.2.3 and earlier version are migrated to another host running NSX-V 6.2.3, would continue to refer to the old local copy of Addrsets and ignore new updates in the Global Addrsets.
Currently, there is no resolution.
To work around this issue:
If you have already upgraded to NSX for vSphere 6.2.3
- Disable vMotion on the VMK interface on all hosts in the compute cluster.
- If your Default_Rule rule is set to DENY, change it to ALLOW.
- Disable Distributed Firewall (DFW), per cluster, one at a time.
- Wait 15 minutes between each cluster change.
- Enable Distributed Firewall (DFW), per cluster, one cluster at a time.
- Wait for all applications to recover. (Note: This process is application dependent and can take some time to recover).
- Change the Default_Rule rule to DENY.
If you have not yet upgraded to NSX for vSphere 6.2.3
VMware recommends to not upgrade to this version if you are using the Distributed Firewall (DFW) feature.
Source: VMware KB 2146227