NSX-T – Upgrading from 2.3.x or 2.4.x to 2.5.x What do I do and where do I begin?

NSX-T 2.5.1 and PKS

If you are using PKS, special compatibility consideration is required before upgrading. Only specific PKS versions are compatible with NSX-T 2.5, and PKS always needs to be upgraded to a compatible release before NSX-T can be upgraded. More detailed information can be found in the VMware PKS 1.5/1.6 Release Notes referenced in Appendix A.

The first version of VMware Enterprise PKS that is compatible with NSX-T 2.5.0 is version 1.5. Prior releases are not compatible, and you should not upgrade NSX-T until you are able to get PKS to a supported version.

You can find detailed information on NSX-T and PKS compatibility in the VMware Compatibility Guide. A link to this matrix can be found in Appendix A of this document.

Important Notes:

  • If using PKS 1.4.0, vSphere 6.7 U2 is the only supported vSphere release. Do not use 1.4.0 if you are using vSphere 6.5 or older 6.7 releases.
  • When upgrading to NSX-T 2.4.0 or later, the existing NSX-T 2.3 configuration is copied to NSX-T v2.4 under the Advanced Networking and Security tab. The network objects required by PKS can only be managed from this section of the UI and won’t be visible in the new simplified UI. After the upgrade you should see an information banner in the simplified UI that indicates objects are available in the “Advanced Networking” tab instead.

VMware Process Recommendations 

As with any upgrade activity, it is very important that it be carefully planned and executed in a change window. Some of the upgrade process may include data plane outages that need to be considered. Below are some general guidelines:

  • Open a proactive VMware SR for the duration of the change window. This will ensure quicker turnaround time with VMware Technical Support should something happen.
  • Work with VMware GSS and your account team to ensure that your proactive SR and activities are added to the weekend watch list. This will raise awareness and increase response time should an issue happen on the weekend.
  • Although it is sometimes unavoidable due to a limited number of change windows, it is recommended that the number of simultaneous changes be limited during an NSX-T upgrade. For example, upgrading vSphere or other infrastructure components at the same time as NSX-T is not recommended due to extra variables and added complexity should something go wrong.

Prerequisite information to be reviewed

Environment is at one of the following or newer:

  • Minimum 6.5 build is 13004031 which is ESXi 6.5 Express Patch 13       
  • Minimum vCenter Appliance 6.5 U2d
  • vCenter 6.7 U3 Appliance supported but need existing NSX-T environment at 2.4.2

Ensure existing environment is working without any known issues prior to beginning upgrade with these steps:

  • Identify and record the administrative user IDs and passwords. (Use Admin account is preferred)
  • Backups of environment have been completed
  • Verify that you can log in to the NSX Manager web user interface
  • Check the Dashboard, system overview, host transport nodes, edge transport nodes, NSX Edge cluster, transport nodes, HA status of the edge, and all logical entities to make sure that all the status indicators are green, deployed, and do not show any warnings
  • Validate North-South connectivity by pinging out from a VM
  • Validate that there is an East-West connectivity between any two VMs in your environment
  • Record BGP states on the NSX Edge devices
  • #get logical-routers
  • #vrf SR
  • #get bgp
  • #get bgp neighbor

During the NSX Edge upgrade, you might experience the following traffic interruption:

  • North-south datapath is affected if the NSX Edge is part of the datapath
  • East-west traffic between tier-1 routers using NSX Edge firewall, NAT, or load balancing
  • Temporary Layer 2 and Layer 3 interruption
  • Configuration changes are not blocked on NSX Manager but might be delayed

**Important to validate**

  • If the ESXi hosts are part of a fully enabled DRS Cluster, check if you have DRS enabled in your vCenter Cluster
  • If your NSX nodes are running in the same ESXi hosts that are used as NSX hosts (in the Host Transport Zones), then be aware that all ESXi hosts during the upgrade will enter Maintenance Mode and all VMs needs to vMotion to another ESXi host during this upgrade.
  • Always check that you have enough resources in the Cluster for NSX can move vMotion and also other VMs that you may have running in this ESXi hosts.

NSX-T Upgrade Order

To upgrade to NSX-T 2.5.1, the following upgrade order should be observed:

  1. Upgrade the NSX Cloud components from 2.4.0 and later as discussed in the Upgrading NSX Cloud Components from NSX-T Data Center 2.4 to later guide referenced in Appendix A.
  2. Upgrade ESXi and Ubuntu/SLES/RHEL/CentOS hosts if they are not compatible with 2.5.0.
  3. Upgrade the Upgrade Coordinator
  4. Run Pre Checks (Review results before moving on to next step)
  5. Upgrade the NSX Edge Clusters
  6. Upgrade the Hosts (Maintenance mode during the process for each host)
  7. Upgrade the Management Plane
  8. Upgrade Policy Manager

Reference information that could also be helpful for consideration:

NSX-T Upgrade Path Matrix:
NSX-T 2.5.1 Release notes:
NSX-T 2.5.0 Release notes:
NSX-T and PKS Interoperability:
VMware PKS 1.5 Release Notes
NSX-T 2.4.0 Release Notes:
Upgrading NSX Cloud Components from NSX-T Data Center 2.4 to later
NSX-T Command Line Reference
NSX-T 2.5 Upgrade Guide:
NSX-T 2.4 Installation Guide:
KB 67449 – Important information before upgrading to NSX-T Data Center 2.5.0:
KB 67445 – With IP Discovery enabled, host VIB update may fail when upgrading to NSX-T 2.5.0:
KB 67444 – Host VIB update may fail when upgrading from NSX-T 2.3.x to NSX-T 2.5.0 if VMs are storage vMotioned before host upgrade:
KB 67821 – Repository Status “Sync Failed” after upgrade to NSX-T 2.5.0:

KB 76607 – ESXi hosts in a NSX-T prepared cluster running ESXi 6.5/6.7 versions may reboot during upgrade to NSX-T 2.5.1
KB 70865 – NSX-T upgrade on ESXi hosts fails at 40% in environments running containers
KB 70691 – NSX-T admin password expired
KB 71132 — NSX-T 2.4 and 2.4.1 NAT issues
KB 71363 — East-West traffic between workloads behind different T1 routers is
NSX-T Data Center Migration Coordinator Guide:

NSX-T 2.5.1 Upgrade Bundle:
File Name: VMware-NSX-upgrade-bundle-
MD5 Sum: 4f361a1320cf50df184a31273bc95f16
Download Link: https://my.vmware.com/web/vmware/details?productId=673&downloadGroup=NSX-T-251
NSX-T 2.5.0 Upgrade Bundle:
File Name: VMware-NSX-upgrade-bundle-
MD5 Sum: 437da88144b3d4f8a8e76f8743ce3741
Download Link:
NSX-T 2.4.1 Upgrade Bundle (For vSphere rollback purposes)::
File Name: VMware-NSX-upgrade-bundle-
MD5 Sum: 49b09c7ace4a2a45bd55eff131a8e7e1
Download Link: https://my.vmware.com/web/vmware/details?productId=673&rPId=33195&downloadGroup=NSX-T-241