SSP and NSX Interoperability Issues
Article ID: 414369
Updated On:
Products
Issue/Introduction
This KB tracks known interoperability issues between SSP and NSX versions. Some NSX versions combined with specific SSP versions cause operational issues.
This KB lists out the problems, affected environments and resolution.
Environment
NSX 4.2.0 and above.
SSP versions 5.0 and 5.1.
Resolution
Please look into the below table for Known Limitations of SSP interoperable with NSX:
| "Interoperability" | NSX Versions | |||||||||||||
|
Sl No. |
SSP Features |
NSX 4.2.0 |
NSX 4.2.0.1 |
NSX 4.2.0.2 |
NSX 4.2.1 |
NSX 4.2.1.1 |
NSX 4.2.1.2 |
NSX 4.2.1.3 |
NSX 4.2.1.4 |
NSX 4.2.2 |
NSX 4.2.2.1 |
NSX 4.2.3 |
NSX 9.0 |
NSX 9.0.1 |
|
1 |
Metrics |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
2 |
Intelligence Visualization |
⚠️ *2,*3,*15 |
⚠️ *2,*3,*15 |
⚠️ *3,*15 |
⚠️ *3 |
⚠️ *3 |
⚠️ *3 |
⚠️ *3 |
⚠️ *3 |
⚠️*6 |
✅ |
✅ |
⚠️ *3 |
✅ |
|
3 |
Policy Recommendation |
⚠️ *2 |
⚠️ *2 |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
4 |
Application/Infra/Environment BootStrap & Discovery |
⚠️ *1(a) |
⚠️ *1(a) |
⚠️ *1(a) |
⚠️ *1(a) |
⚠️ *1(a) |
⚠️ *1(a) |
⚠️ *1(a) |
⚠️ *1(a) |
⚠️ *1(a) |
⚠️ *1(a) |
✅ |
✅ |
✅ |
|
5 |
Environment Monitoring and Recommendations |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
⚠️ *12 |
|
6 |
Application Monitoring and Recommendations |
⚠️ *5,*9 |
⚠️ *5,*9 |
⚠️ *5,*9 |
⚠️ *5,*9 |
⚠️ *5,*9 |
⚠️ *5,*9 |
⚠️ *5,*9 |
⚠️ *5,*9 |
⚠️ *5,*9 |
⚠️ *5,*9 |
⚠️ *9 |
⚠️ *5,*9 |
⚠️ *5,*9 |
|
7 |
Infrastructure Monitoring and Recommendations |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
8 |
DFW (Rapid Deployment of Distributed Firewall via Security Journey) |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
9 |
Distributed Firewall for Bare Metal Workloads |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
✅ |
✅ |
|
10 |
Distributed Firewall Rule Analysis |
N/A |
N/A |
N/A |
⚠️ *4,*10,*11 |
⚠️ *4,*10,*11 |
⚠️ *4,*10,*11 |
⚠️ *4,*10,*11 |
⚠️ *4,*10,*11 |
⚠️ *11 |
⚠️ *11 |
⚠️ *11 |
⚠️ *11 |
⚠️ *11 |
|
11 |
NDR Sensor |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
12 |
MPS |
⚠️ *16 |
⚠️ *16 |
⚠️ *16 |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
13 |
NDR |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
14 |
Bare Metal Security |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
✅ |
✅ |
|
15 |
POV |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
16 |
NTA |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
17 |
IDS/IDPS |
⚠️ *7 |
⚠️ *7 |
⚠️ *7 |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
18 |
SSP-NSX Alarm Framework |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
⚠️ *8 |
|
19 |
Backup and Restore |
⚠️ *14 |
⚠️ *14 |
⚠️ *14 |
⚠️ *14 |
⚠️ *14 |
⚠️ *14 |
⚠️ *14 |
⚠️ *14 |
⚠️ *14 |
⚠️ *14 |
⚠️ *14 |
⚠️ *14 |
✅ |
|
20 |
SSP Deployment |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
⚠️ *13 |
|
21. |
SSP Inventory |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
⚠️ *1(b) |
*1: Missing DVPG Data in Groups: DVPGs are not streamed to SSP Inventory, leading to unresolved rows in CSV containing DVPG asset types.
CSV Resolution Issues:
- (1a) App Discovery impact (NSX < 4.2.3: Rows in CSV of asset type: DVPG cannot be resolved to DVPG entities)
- (1b) Inventory impact :
NSX 4.2.3 / 9.0: Rows in CSV of asset type : DVPG can be resolved to DVPG entities and DVPGs can be tagged. Dynamic tag based groups can be created and published to NSX. Group membership details for such DVPG based groups can be seen in NSX inventory, but, not in SSP inventory.
NSX Upcoming Version : DVPG group memberships are correctly shown in SSP Inventory.
*2: SSP Unable to View IP Members in NSX Groups
Here
- Visualization : Direct IP members of group can be seen. Nested IP members of a group are not shown.
- Recommendation: Will not be able to correlate an IP with a group. So might result in recommending new groups
*3: Flow Visibility and Infrastructure Sync Failures:
Problem 1: Unable to see flows on intelligence.
Problem 2: Infrastructure Sync on SSP is DOWN as the full sync/ delta sync has failed.
*4: Inaccurate Rule Analysis Reports in Scaled Environments:
Users may receive inaccurate rule analysis reports (e.g., showing anomalies or redundant rules that shouldn't exist).
Could lead to false alarms or misleading security insights, especially in scaled environments.
*5: Incomplete Export of Prioritized Application Traffic:
Prioritized application traffic may not be exported reliably, leading to incomplete flow visibility in monitoring tools.
*6: Long Inventory Sync Downtime on SSP UI:
Inventory Sync status on SSP UI is shown as down for very long time.
*7: Unable to Filter IDS Alerts by Signature ID:
You cannot see or filter IDS alerts by signature ID (even though alerts are logged).
*8: Confusing Alarms for Configuration Sync Failures:
In current NSX versions, alarms for configuration sync failures reference only the NSX Application Platform (NAPP), even though the Security Services Platform (SSP) is deployed.
This may lead to confusion during issue triage. The improvements will be available in an upcoming NSX release, ensuring clearer diagnostics and faster troubleshooting for SSP deployments.
*9: Prioritization Failure with more than 50 critical apps:
SSP UI says prioritization failed if you attempt to prioritize more than 50 apps, even if they are marked as “Critical”.
*10: DFW Rule Persistence Issues post Backup and Restore:
In NSX 4.2.1.x, after performing a backup and restore, any newly created DFW rules may not persist in the backend database, even though they appear in the NSX Manager UI.
As a result, Rule Analysis fails to detect anomalies for these rules.
This impacts security visibility and traffic anomaly detection.
*11: Sync Failures and Kafka Recovery Issues in Disabled NSX Features:
While running NSX with both Intelligence and Metrics disabled, we may experience data sync failures and Kafka recovery issues, leading to missing configuration updates and potential platform instability, especially when using features like Rule Analysis.
*12: Missing Flow Data for Dropped/Rejected Flows After Jump Rule:
When using Environment Monitoring in SSP 5.1 with NSX, flows that are dropped or rejected after a "jump-to" rule do not report the associated jump_rule_id.
This results in missing or incomplete flow data for those connections, which impacts monitoring accuracy and reduces visibility into environment-based traffic policies.
We may see gaps in reported traffic flows, leading to incorrect insights or decisions based on incomplete data.
*13: Delayed Data Updates and UI Performance Degradation:
We may observe delays in data updates, slower response times in the user interface, and temporary unavailability of some analytics or configuration data during the synchronization process.
In some cases, repeated full syncs can lead to brief performance degradation or increased load on the system.
*14: Failures in Disaster Recovery Workflows During SSP Upgrades:
While performing Disaster Recovery (DR) workflows involving SSP upgrades and Platform CA certificate refreshes may experience failures during NSX site onboarding and restore operations.
*15: Missing VM Details in Inventory Due to NSX 4.2.0 Limitation:
When using SSP with NSX version 4.2.0, the “View Members” option in the Inventory > Groups section shows group member counts but no actual VM details are displayed. This is due to a missing capability in NSX 4.2.0.
The version does not support “Dynamic Streaming,” which SSP requires to fetch and display VM inventory details. This feature is supported only from NSX 4.2.1 onwards.
*16: Malware Prevention Service Alarm Remains Open on NSX Manager:
Service Status Down alarm remains open for Malware Prevention Service VM on NSX Manager. The following alarm is shown on the Alarms tab on the NSX Manager: "Service NSX_LASTLINE_RAPID is not running on <tn-fqdn-name>."
| Number | ISSUE | AFFECTED NSX VERSION | AFFECTED SSP VERSION | FIXED IN NSX VERSION | WORKAROUND |
| 1. |
Missing DVPG Data in Groups: DVPGs are not streamed to SSP Inventory, leading to unresolved rows in CSV containing DVPG asset types. CSV Resolution Issues:
|
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 NSX 4.2.2 NSX 4.2.2.1 NSX 4.2.3 NSX 9.0 NSX 9.0.1 |
SSP 5.1 | Upcoming NSX version. |
N/A |
| 2. |
SSP needs to see which IP addresses belong to a group in NSX. This info is not currently being sent by NSX, and SSP inventory is incomplete as a result.
Here Visualization : Direct IP members of group can be seen. Nested IP members of a group are not shown. |
NSX 4.2.0 NSX 4.2.1 |
SSP 5.0 SSP 5.1 |
NSX 4.2.2 NSX 9.0 |
None. Upgrade NSX if it is running the affected NSX version. |
| 3. |
Issue: Infrastructure Sync on SSP is DOWN as the full sync/delta sync has failed. Impact: Unable to see flows on Intelligence.
|
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 NSX 9.0 |
SSP 5.0 SSP 5.1 |
NSX 4.2.2 NSX 9.0.1
|
|
| 4. |
Issue: Deleted security rules (redundant_rule4 and redundant_rule5) are still being processed by the Security Intelligence, even though they no longer exist in the UI or Corfu (another datastore). This results in system errors during policy update processing.
Impact : Users may receive inaccurate rule analysis reports (e.g., showing anomalies or redundant rules that shouldn't exist). Could lead to false alarms or misleading security insights, especially in scaled environments. It can affect Users who perform repeated creation & deletion of rules/policies with same name. |
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 |
SSP 5.1 |
NSX 4.2.2 and above. NSX 9.0 and above. |
None. Upgrade NSX if it is running the affected NSX version. |
| 5. |
Issue: Even though flow prioritization was enabled for one application, the prioritized traffic was not being exported, while traffic from non-prioritized apps was exported.
Impact: Prioritized traffic isn’t properly monitored/exported. So you lose visibility into important application behavior. This could lead to missed alerts or delayed detection of problems in critical apps.
|
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 NSX 4.2.2 NSX 4.2.2.1 NSX 4.2.3 NSX 9.0 NSX 9.0.1 |
SSP 5.1 | Upcoming NSX version. | N/A |
| 6. |
Inventory Sync status on SSP UI is shown as DOWN for very long time.
|
NSX 4.2.2 |
SSP 5.0 SSP 5.1 |
NSX 4.2.3 NSX 9.0.1 |
https://knowledge.broadcom.com/external/article/412043
|
| 7. |
Issue: The IDS Signature ID filter (used to detect threats like trojans) stopped showing up in the VIZ even though alerts/events were being generated in the backend. Signature ID filter missing from VIZ after IDS events
Impact: You couldn't see or filter IDS alerts by signature ID (even though alerts were logged) |
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 NSX 4.2.2 NSX 4.2.2.1 |
SSP 5.0 SSP 5.1 |
NSX 4.2.3 NSX 9.0.1 |
None. Upgrade NSX if it is running the affected NSX version. |
| 8. | Alarm with Feature "NSX Application Config Agent" and Event Type "Config Agent Unhealthy" is seen on NSX UI. |
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 NSX 4.2.2 NSX 4.2.2.1 NSX 4.2.3 NSX 9.0 NSX 9.0.1
|
SSP 5.0 SSP 5.1 |
Upcoming NSX version. |
https://knowledge.broadcom.com/external/article/373834
|
| 9. |
Issue: Unable to priortize more than 50 apps/groups
Impact : You can’t prioritize more than 50 apps, even if they are marked “Critical”. No clear error or warning is shown, it silently fails beyond 50.
|
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 NSX 4.2.2 NSX 4.2.2.1 NSX 4.2.3 NSX 9.0 NSX 9.0.1 |
SSP 5.1 | Upcoming NSX version. | N/A |
| 10. |
Issue : After NSX Backup and Restore, newly created DFW (Distributed Firewall) rules do not appear in the internal database (nsx_config), causing the system to fail in detecting any anomalies based on them.
Impact : Newly created firewall rules do not trigger anomaly detection, which can lead to security blind spots. You may think rules are active, but the system doesn’t behave accordingly due to missing backend configuration. Troubleshooting becomes confusing, since UI shows the rule, but backend systems don't reflect it. In versions before 4.2.2, there is no clean workaround, except manually off-boarding and re-onboarding NSX (which deletes reports). |
NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 |
SSP 5.1 | NSX 4.2.2 and above. | None. Upgrade NSX if it is running the affected NSX version. |
| 11. |
Issue: Older NSX checks either Intelligence or Metrics Enablement to 1. Recover on Kafka failure. 2. Start full sync on restart due to error/leadership change. There can be cases when Intelligence is not deployed and Metrics Data Collection is toggled off. Such cases need to be handled and hence this fix should be backported.
Impact : If Rule Analysis is enabled while metrics and intelligence are disabled Kafka producer re-initialization does not happen and we will NOT be able to recover from any Kafka error because when metrics and intelligence is disabled then Kafka producer is not re-initialized even after getting the Kafka Exception on NSX. |
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 NSX 4.2.2 NSX 4.2.2.1 NSX 4.2.3 NSX 9.0 NSX 9.0.1 |
SSP 5.1 | Upcoming NSX version. | N/A |
| 12. |
Issue: In SSP 5.1 we are introducing environment monitoring as a feature which analyzes the traffic flows between user defined environments. This requires the DFW environment category jump-to rule ID to be populated in the flows exported to SSP. The issue is that the jump-to rule ID is not sent to SSP when the application category rule is a Drop/reject. Without this SSP will have no idea whether the flow ever matched any env category rule.
Impact : SSP 5.1 interop with NSX 4.2.3 and 9.0. Every customer who uses Environment Monitoring SSP 5.1 with NSX 4.2.3 will be impacted if they have environment monitoring enabled. |
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 NSX 4.2.2 NSX 4.2.2.1 NSX 4.2.3 NSX 9.0 NSX 9.0.1 |
SSP 5.1
|
Upcoming NSX version. |
N/A
|
| 13. |
Issue:
Impact: Extra syncs increase processing time but eventually complete successfully. |
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 NSX 4.2.2 NSX 4.2.2.1 NSX 4.2.3 NSX 9.0 NSX 9.0.1 |
SSP 5.0 SSP 5.1 |
Upcoming NSX version. | N/A |
| 14. |
Issue: Impact: |
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 NSX 4.2.1 NSX 4.2.1.1 NSX 4.2.1.2 NSX 4.2.1.3 NSX 4.2.1.4 NSX 4.2.2 NSX 4.2.2.1 NSX 4.2.3 NSX 9.0 |
SSP 5.0 SSP 5.1 |
NSX 9.0.1 | None. Upgrade NSX if it is running the affected NSX version. |
| 15. |
Issue:
Impact: The “Groups → View Members” page in SSP does not show which VMs belong to a selected NSX group. |
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 |
SSP 5.1 |
|
None. Upgrade NSX if it is running the affected NSX version. |
| 16. |
"Service Status Down" alarm remains open for SVM. |
NSX 4.2.0 NSX 4.2.0.1 NSX 4.2.0.2 |
SSP 5.0 SSP 5.1 |
NSX 4.2.1 and above. |
https://knowledge.broadcom.com/external/article/388177
|
Feedback
