• Federated deployment in place.
• An upgrade to VMware NSX 4.1 or 4.2 has been carried out.
• The environment was originally a VMware NSX-T Data Center 2.5 deployment.
• Global manager firewall rules fail to publish.
• Entries similar to the below are observed in var/log/vmware/appl-proxy-rpc.log
NSX 1846 - [nsx@6876 comp="nsx-manager" subcomp="appl-proxy" s2comp="nsx-rpc" tid="1876" level="INFO"] Frame format is not recognized
NSX 1846 - [nsx@6876 comp="nsx-manager" subcomp="appl-proxy" s2comp="nsx-rpc" tid="1876" level="ERROR" errorCode="RPC400"] RpcConnection[80104 Negotiating on tcp://0.0.0.0:1236 0] Frame format is not recognized
.
.
.
.
NSX 1846 - [nsx@6876 comp="nsx-manager" subcomp="appl-proxy" tid="1846" level="INFO"] TnConnMgr: OnServerConnectionUpDown: ConnInfo:{id: 76738, pr: normal, net: {id: 76738, pr: normal, side: server, endpoint: tcp://0.0.0.0:1236, local-ep: tcp://0.0.0.0:1236, peer-ep: tcp://10.247.120.220:42618, peer-auth: {certificate: none}}} Status:Down

VMware NSX-T Data Center 2.5
VMware NSX 4.x

This issue happens because /etc/vmware/nsx-appl-proxy/appl-proxy.xml file is not getting upgraded to the intended install version.
From VMware NSX 4.1 onwards, the sslEnabled value for external_ar is read from appl-proxy.xml file, and if not present default value is sslEnabled=false.
This impacts setups that have been upgraded since 2.5.1 and not fresh installs.

This is a known issue impacting VMware NSX.
If you believe you have encountered this issue, please open a support request with Broadcom Support and refer to this KB article.