• When attempting to remove NSX from a security-only cluster by selecting the cluster and clicking REMOVE NSX, the process fails with an error similar to the following:
  
  Error: The resource Virtual Machine with ID <VM UUID> used by compute collection <Compute Manager UUID>:domain-<Cluster MOID> is a member of a security group. Please update the group membership to remove the resource and try uninstalling again. (Error code: 9611)
  
  
• "Virtual Machine" might be replaced with "Transport Node" in the previous error message.

• VMware NSX 4.1.1 and later
• Security-only clusters configured at the global or cluster level

In NSX 4.1.1 and later, a validation check is performed during uninstallation. If a Transport Node or a Virtual Machine (connected via an NSX Segment or Distributed Portgroup) is an active member of any NSgroup(s) used by Distributed Firewall (DFW) rules, the uninstall process triggers Error Code 9611 to prevent accidental disruption of security policies. This often occurs when system-created groups (such as those for vRealize Network Insight) or manual DFW rules still reference the cluster members.

Method 1: Remove Group Memberships

Note: This option may be disruptive to network traffic to/from virtual machines if ALLOW rules are in place that affect VMs being removed from NSgroups.

1. Log in to the NSX UI and navigate to Security > Distributed Firewall.
2. Search for the VM names (or Transport Nodes) mentioned in the error message to identify associated NSgroups.
3. Remove the affected resources from these groups or delete the referencing rules if they are no longer needed.
4. Attempt the NSX removal from the cluster again.

Method 2: VM Migration Workaround (Recommended if Method 1 is not feasible)

If group memberships cannot be easily modified, follow these steps:

1. Identify all VMs in the cluster that are members of NSgroups.
2. Migrate these VMs to hosts in a different cluster.
3. Attempt the NSX removal from the original cluster again.

• NSX Failed to Remove NSX in a security-only cluster
• Traffic blocked as DFW rules were applied to VMs due to accidentally installing NSX on cluster(s)
• Uninstall NSX from a vSphere Cluster