This article is more than 1 year old
Please don't upgrade NSX just now, says VMware
Most recent patch is messing up VMs using Distributed Firewall and Security Groups
VMware is advising users of its NSX network virtualisation not to upgrade it to the version 6.2.3 released in early June.
The update addressed CVE-2016-2079, a vulnerability that allows remote attackers to obtain sensitive information. In other words, just the kind of thing you probably want to patch, not least because NSX is often used as a security-enhancer!
But Virtzilla's since discovered that NSX 6.2.3 can disrupt some virtual machines.
As explained in this Knowledge Base article, the problem means “Traffic disruption may be encountered upon a vMotion operation on compute virtual machines followed by changes to configuration of the Global Address Sets in the SG referenced for that virtual machine.”
The problem stems from the introduction of a new Global Address set, called Addrset. There's nothing wrong with Addrset. But if you upgrade to 6.2.3, “when virtual machines that were part of a SG that was created in NSX-V 6.2.3 and earlier version are migrated to another host running NSX-V 6.2.3, [the VMs] would continue to refer to the old local copy of Addrset and ignore new updates in the Global Addrset.”
There's some good news in the form of VMware's explanation of a workaround, but despite the existence of that fix Virtzilla's still advising that “Customers using Distributed Firewall and Security Groups are advised to not install or upgrade to NSX for vSphere (NSX-V) 6.2.3.”
If that means you got your weekend back, enjoy it! ®