Symptoms:

• NSX-T Data Centre versions 3.2.0, 3.2.1.
• VMware NSX versions 4.0 and 4.1.
• You have deployed NSX; this is Embedded NSX installed in vSphere as a Plugin.
• You are using security only.
• The vCenter server is on a distributed portgroup.
• Connectivity is lost to the vCenter server and/or NSX manager VM once the cluster is prepared for security.

VMware NSX-T Data Center

When the vCenter server and/or the NSX-T manager are on a Distributed portgroup which is part of the cluster which is being prepared, if the default rule is drop and these VM's have not been given specific permissions to communicate on the Distributed firewall, communications fail, as the traffic will hit the default drop rule.

This is a known issue impacting NSXe deployments.

Workaround:
During NSX install on the Distributed switch and creation of firewall rules step, we need to add the vCenter and NSX-T manager(s) to the DFW exclusion list using the following process in the NSX-T UI:

• Under Inventory - Tags, create a new tag, for example called 'NSXe_Sytem_VM_Tag' and add both vCenter and NSX manager VMs to it.
• Under Inventory - Groups, create a new group, for example called 'NSXe_System_VM_Group'.
• For the new group, Set Members - Membership Criteria - Virtual Machine - Tag - Equals - NSXe_System_VM_Tag
• Under Security - Distributed Firewall - Actions - Exclusion List , add the created group to exclusion list.

Then proceed to Firewall creation step in NSXe UI security workflow.