An NSX segment cannot be deleted after the network was previously extended with VMware HCX Network Extension. The HCX environment has since been decommissioned, and the HCX appliances no longer exist. One or more orphaned logical ports remain attached to the segment and block its removal.

In the NSX UI, the affected segment shows a remaining logical port that uses the HCX network-extension naming prefix (for example, a port name beginning with Infra-hcx-ne-). The port shows Admin Status Up and Operational Status Up, with an attachment to a Logical Router (LR). No virtual machine ports are present on the segment.

Deleting the segment fails while the port remains attached. The delete may also return the following error, even when no virtual machines are connected:

Disconnect all VMs and VIFs before deleting a segment.

This differs from a standard stale logical port, which typically shows Operational Status Down in Manager view after a virtual machine is detached.

• VMware NSX 4.x
• VMware HCX
• VMware Cloud Foundation (VCF)

HCX Network Extension creates a logical port on the NSX segment to bridge the extended Layer 2 network. When the HCX environment is removed without first unextending the networks from HCX Manager — for example, when the HCX appliances or service mesh are deleted while unreachable — the network-extension logical port is left behind on the segment.

NSX does not automatically remove these orphaned ports. While the port remains attached, the segment reports active ports and cannot be deleted. If the segment is still connected to a Tier-1 gateway, the associated LogicalRouterPort keeps the port Operational Status Up even when no virtual machine traffic is present

Remove the orphaned logical port and then delete the segment. Detaching the segment from its Tier-1 gateway clears the LogicalRouterPort that holds the port Operational Status Up, allowing the segment to reach a zero-port state. Repeat the procedure for each affected segment.

Remove the orphaned port and segment (repeat per segment)

1. In the NSX UI, go to Networking > Segments, click the segment, and open Related > Ports. Confirm no virtual machine ports are present. Only a LogicalRouterPort or the orphaned HCX network-extension port remains.
2. Go to Security > Distributed Firewall > Exclusion List > User Excluded Groups. If a group that contains the segment appears, click Manage Exclusion List, clear the group, and click Apply.
3. Go to Inventory > Groups and search for the segment name or its CIDR. For any matching group, click the ellipsis (three dots) and select Where Used. Repeat the search under Security > Distributed Firewall and Security > Gateway Firewall. Remove or edit any rule references before continuing.
4. Go to Networking > Segments, click the ellipsis next to the segment, and select Edit. Set Connected Gateway & Type to None, then click Save and Close Editing. Setting the gateway to None automatically removes the associated LogicalRouterPort.
5. In Networking > Segments, confirm the Ports/Interfaces column shows 0 for the segment. The count may take a few minutes to update.
6. Click the ellipsis next to the segment, select Delete, and confirm.

If the issue persists after these steps, contact Broadcom Support for further assistance.

• KB 319115 — Steps to remove stale logical-port(s) in NSX-T after attempted delete
• KB 371939 — Cannot delete an NSX segment for the error "Disconnect all VMs and VIFs before deleting a segment" even though no VMs are connected
• KB 324256 — Scripted cleanup of stale ports (for environments with a large number of orphaned ports)
• VMware HCX — Removing a Network Extension (the supported method to unextend a network before removing HCX)