July 16, 2018
NSX for vSphere 6.2 was released on 20th of August 2015. It follows the Application Platform lifecycle policy which ensures 3 years of General Support and additional 1 year Technical Guidance. Based on the Product Lifecycle Matrix that means that General Support will end on August 20, 2018 and Technical Guidance will end on August 20, 2019.
The simple way not to have to worry about this at all is to upgrade, but a successful upgrade requires a lot of planning and research. VMware Interoperability Matrix is a great starting point. Based on your current NSX version, you can chose a supported upgrade path, avoiding incompatible or unsupported upgrades.
Speaking of NSX-v 6.2, the matrix clearly shows that there are some incompatibilities with specific higher versions. For example if you run NSX-v 6.2.0, 6.2.1 or 6.2.2 you cannot upgrade directly to 6.3.5 or higher. It’s advised first to upgrade to the latest 6.2.x (6.2.9) and then perform further upgrade. This is thoroughly explained in VMware KB51624. In this particular case, as part of the intermediate upgrade step, you need to upgrade the NSX Manager only. All other components can be upgraded once you reach the desired version.
Unfortunately, there might be other issues during the upgrade process that can introduce availability or security impact. I came across VMware KB51972 which describes one such scenario. During an upgrade of NSX components on the NSX prepared hosts, VMs protected by Distributed Firewall may lose network connectivity if migrated to hosts with lower dvfilter version. Below is a summary from the KB outlining the supported and unsupported scenarios:
- Migrating a VM from the non-upgraded host to the upgraded host is supported.
- Migrating a VM from the upgraded host to the non-upgraded host of which dvfilter version is the same as the source is supported.
- Migrating a VM from the host installed with NSX 6.3.x to the host installed with NSX 6.2.x is not supported.
- Migrating a VM from the host installed with more than NSX 6.2.4 to the host installed with NSX 6.2.2 or earlier is not supported.
The dvfilter operates at Slot 0 of the Distributed Firewall IOChain and based on the KB article there is no backwards compatibility with previous versions. To avoid this issue, it’s recommended to upgrade the NSX components on all ESXi hosts part of the DFW enabled cluster in the same maintenance window. In addition, setting DRS (if enabled) to manual will ensure VMs are not automatically migrated to hosts with lower dvfilter version.
To make the whole upgrade a lot easier, this and other NSX and vSphere configuration issues can be proactively discovered with Runecast Analyzer.
Once you choose a target NSX version, it is recommended to review the corresponding Release Notes for known issues, limitations, or requirements. In addition, make sure that the target NSX version is compatible with the other components in your environment - like vCenter Server and ESXi hosts. This can be checked at the VMware Interoperability Matrix.
To complete your upgrade plan, I encourage you to go through the NSX Upgrade Guide. You’ll find a detailed explanation of the update sequence and dependencies.
Hope this saves you some time.
Never miss new blog post!
Never miss new blog post from Runecast!