• During the uninstallation of VMware NSX from an ESXi host in a cluster with Distributed Firewall (DFW) on Distributed Virtual Port Group (DVPG) enabled, the host may lose network management connectivity.
• An inspection of the hostswitch configuration reveals that the vSwitch is explicitly disabled: com.vmware.vswitch.disabled = true , propType = CONFIG
• Additionally, the nsx-syslog records errors indicating a failure to list ports on the DVS during the uninstall operation: nsx-opsagent[<REDACTED_SECRETS>]: NSX <REDACTED_SECRETS> - [nsx@4413 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="<REDACTED_SECRETS>" level="ERROR" errorCode="MPA44209"] [PortOp] list ports failed on dvs [<REDACTED_MAC_ADDRESSES>], error code [bad0005]
• nsxaVim.log shows logs similar to below.
  2026-04-02T05:09:10Z In(14) nsxaVim: [62914246]: INFO Add com.vmware.vswitch.disabled for dvs [50 03 ## ## 2a cd ## ##-af f0 ## ## 73 f2 ## ##]

VMware NSX

This issue happens during NSX uninstall when security extraConfig properties are not cleared on the ports and proceed ahead to the rest of the uninstallation. The failure to clear the extraConfig properties happens due to a datapath error to list ports on DVS but can happen due to other datapath errors as well.

The issue is resolved in NSX 9.1.1, 9.2 and 4.2.5 or later releases.

Workaround 1:
Note: These steps do require that the hosts be put in Maintenance mode. So, this will need a maintenance window

To get back host connectivity and complete uninstall

Step 1: Re-establish host connectivity 

Login to the host through console and manually set "com.vmware.vswitch.disabled" to enabled
eg. net-dvs -s "com.vmware.vswitch.disabled"="false" -p hostPropList "DVS_NAME"

Step 2: Cleanup stale TN configuration

i) Try a regular Transport Node uninstall, if that option is available
ii) If i) is not available, attempt a force DELETE:
    DELETE /policy/api/v1/infra/sites/default/enforcement-points/default/host-transport-nodes/<Host-TN-NSX UUID>?unprepare_host=false&force=true
iii) After ii) check that the Transport Node is not present for that TN

This KB can be used as reference for most of the steps: https://knowledge.broadcom.com/external/article?articleNumber=319975

After these steps, follow steps 6) onwards in https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/installation-guide/uninstall-nsx-from-a-host-transport-node/uninstall-nsx-from-a-managed-esxi-host.html
This is needed to check if the NSX bits on the host are present and clean them up if they are present using 'del nsx' command

Note: These steps do require that the hosts be put in Maintenance mode. So, this will need a maintenance window

Workaround 2:
- Another workaround to detect this issue beforehand and prevent the host from loosing connectivity is

Step 1:
Deactivate NSX on DVPG on the cluster

Step 2:
Check if security extra config remains on the ports

- Login to the host and run
net-dvs -l | grep 'com.vmware.port.extraConfig'

If any of the ports have - com.vmware.port.extraConfig.security.enable or com.vmware.port.extraConfig.logicalPort.id properties, the security extra config cleanup was not successful

Step 3: If previous step showed cleanup was unsuccessful,

Manually cleanup the extra config using net-dvs commands

net-dvs -u <property> -p <port-id> <dvs-name>
eg. net-dvs -u com.vmware.port.extraConfig.security.enable -p 6 vds1

Step 4: Once verified that security extra config does not exist on ports, continue with NSX uninstall on the cluster