• Pool members fail to establish secure connections with NSX 4.X during health probe monitoring resulting the pool member to be marked down by NSX.
• The LB HTTPS monitors with no SSL profile configured (by default TLS1.1 and TLS1.2) in Policy API, These will be automatically upgraded to support only TLS 1.2 post upgrade to 4.X.
• Validation is required to ensure pool members comply with the security standards enforced by OpenSSL 3.0.

VMware NSX

 NSX 4.2 exclusively supports certificates compliant with OpenSSL 3.0 standards.

This change primarily affects "brownfield" (existing) environments. If your current Pool member configurations utilize only any of these unsupported TLS versions (TLS1.1 and TLS1.2).

• It is imperative to perform the below checks during the planning phase of an upgrade to avert application outages.
• To manually verify if your pool members are responding to TLS 1.2 , Please run the below openssl command to check from root mode of the NSX manager:
• To check TLS 1.2 support:
  openssl s_client -connect <poolmember-ip>:443 -tls1_2

Detailed compatibility requirements and OpenSSL 3.0 are documented in KB 368005.