• For NAT Rules that have multiple interfaces in its scope, or with a label applied, stale NAT Rules maybe found on Edge Node after NSX upgrade from pre-4.2.0 to 4.2.x release.
• None of the APIs or the NSX UI shows the stale NAT rule, however, the rule may appear in the results of the Active Edge "get firewall ruleset rules" command

NSX 4.2.x

When a NAT Rule is deleted by Policy Provider from Corfu during the Upgrade because of data migration, an issue with CCP's UFO full sync may occur, and CCP may not propagate this NAT Rule deletion to EdgeNode data plane.

This is a known issue and will be fixed in future NSX version releases.

Workaround

Perform Controller/CCP service restart on all 3 Manager nodes:

/etc/init.d/nsx-ccp restart