• Traffic that was supposed to be allowed, is suddenly blocked by a DFW rule
• This happens as NSX was installed on a cluster accidentally and DFW rules were applied to VMs on hosts in that cluster
• When you try to uninstall NSX by selecting the cluster and clicking "REMOVE NSX", the following error is observed:

Feb 3, 2026, 5:33:52 PM : Error: The resource Virtual Machine with ID ########-####-####-####-############ used by compute collection ########-####-####-####-############ :domain-c###### is a member of a security group. Please update the group membership to remove the resource and try uninstalling again. (Error code: 9611)

VMware NSX 4.1.1 or above

In NSX 4.1.1 and later, a validation check is added during a security-only uninstall to determine if a VM (connected via an NSX Segment or a Distributed Portgroup) is a member of any NSgroup(s). The uninstall process will trigger an error (Error code: 9611) if that is the case.

This is expected behavior. If it's feasible, remove the VMs / Segments / DVPGs from the NSGroups and then attempt to uninstall NSX.

If it is not feasible to remove the VMs / Segments / DVPGs from NSGroups, perform the following steps:

1. Create a new host Cluster in the VC
2. Enable maintenance mode for the hosts in VC
3. Move each host out of the current cluster to a new cluster
4. NSX Manager will automatically trigger the uninstall on the host
5. Proceed to "Remove NSX" from the old cluster
6. Confirm the NSX VIBs are removed completely from the host by running the command: esxcli software vib list | grep -E 'nsx|vsipfwlib

If the above steps do not resolve the issue, open a case with Broadcom Support.