The DFW rules gets removed from the host during the NSX Manager upgrade for security-only clusters.
search cancel

The DFW rules gets removed from the host during the NSX Manager upgrade for security-only clusters.

book

Article ID: 383646

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

In the DFW on DVPG deployments, the DFW rules get removed from the ESXi host briefly during the NSX Manager upgrade and recover automatically after all three NSX Managers are upgraded. 

Environment

This issue is only seen during an upgrade to NSX 4.2.x from Pre 4.2.0 releases

Cause

NSX Manager node OS upgrades happen on a rolling basis. During the 2nd/3rd Manager upgrade, the host served by these managers may get sharded to the upgraded Manager node. When the hosts get the new master, the messaging layer will issue an AppInit.  This process will remove the security-only configuration and introduce a new parameter enable_nsx_on_dvpg. This new parameter only takes effect after the entire upgrade is complete.

Resolution

This issue only impacts upgrades to NSX 4.2.x from Pre 4.2.0 releases. 

This issue is fixed in NSX 4.2.1.1 

Powered by Wolken Software