• During the upgrade of NSX-T managers, hosts are not allowed to upgrade.
• The upgrade fails at the 'Performing dry-run of installation of NSX bits' step.
• The following error in upgrade-coordinator.log on the orchestrator node is present (/var/log/upgrade-coordinator/upgrade-coordinator.log):

             Unable to connect the host https://host-ip/sdk

This issue is caused by blocked Host access from NSX Orchestrator node

In vSphere go to the Host > Configure > System > Firewall. Connections > vSphere Web Client, change "Allowed IP addresses" should be set to all or the IP address of the orchestrator node.

You can use netcat (nc) to confirm connectivity to the TCP ports (443,80 and 902) from the NSX Manager(s) to the vSphere Host: 

1. Open SSH to NSX Manager and log in using root account
2. run the following command to check the connectivity on TCP port 443:
   #nc -zv <host-ip> 443
3. Example response when connection succeeded:
   Connection to <host_ip> 443 port [tcp/*] succeeded!
4. Repeat the same steps for ports 80 and 902
5. If the connection is not succeeded, then investigate with your firewall team where the port may be blocked.
6. Check the connection from all three NSX Managers.

Impact/Risks:

Not able to upgrade a host during NSX-T upgrade.