VMware recently made NSX 6.3.5 (Build 7119875) available for download. This is a full maintenance release including a number of fixes.
There are numerous fixes in this release that will be of interest. Most notably, are the fixes related to Guest Introspection – a feature leveraged by several third party AV and security products and the NSX Identity Firewall. There are several enhancements to GI: Deployment naming, network event filtering, and CPU utilization fixes in the form of threshold modifications via API. There is also a fix for issue number 1897878, outlined in VMware KB 2151235 that sometimes caused a “Lost communication with ESX module” message.
What’s New in 6.3.5
Anyone using Guest Introspection should definitely consider upgrading
“For vCenter 6.5 and later, Guest Introspection VM’s, on deployment, will be named Guest Introspection (XX.XX.XX.XX), where XX.XX.XX.XX is the IPv4 address of the host on which the GI machine resides.”
In larger NSX deployments using GI, the associated guest configuration should be easier to identify.
“Guest Introspection service VM will now ignore network events sent by guest VMs unless Identify Firewall or Endpoint Monitoring is enabled”
According to some reports, this is a feature that was occasionally disabled in very large deployments to improve 3rd party A/V scalability. The vast majority don’t use ‘Network Introspection’ services, so it’s good to see that it’s now off by default. It will more readily allow for adoption of these services and can be implemented if needed.
Also, it is worth noting, under serviceability enhancements for L2VPN, that changing or enabling logging no longer requires a process restart. There is some additional log detail available also.
In short, Lots.
In addition to the Guest Introspection memory consumption issue, several migration and upgrade problems were also addressed. The controller disconnect issue and password expiry issues are also resolved in this release. Of the logical networking and edge components, fixes to the Edge IPsec VPN and failures related to service certificates are most notable. For the Manager and Controller issues related to reliability, accessibility, and CPU utilization were addressed. Also, in prior editions, upgrading the VIB retained the password file of the vShield firewall causing delays and occasional packet loss related to the time it takes to update the password by connecting to the NSX manager in an automated DRS cluster.
Should you deploy 6.3.5? I don’t see a reason why you would not jump to 6.3.5 in a new deployment, but paying close attention to known issues and workarounds in an upgrade is key. I only see one issue related to sslvpn service using a local authentication server which doesn’t post a workaround. The issue may generate support calls from end users or administrators logging in during a password change.