This KB is to document a known issue with NSX Data Center 6.4.4 that may prevent upgrading or making changes to NSX Edge Service Gateways.

1. Edge upgrade fails OR
  2. After Edge upgrade to 6.4.4, Edge configuration may timeout.

Customers upgrading from NSX Data Center 6.3.x or 6.4.x release to 6.4.4 may experience this issue.

VMware NSX for vSphere 6.4.x

Issue happens only if edge firewall or distributed firewall has rules applied to edges and security groups or IP sets are used in the firewall rules.

A message queue which processes the security group/IP-set updates was not configured correctly, so communication between NSX manager and the edge gets blocked when the number of pending messages reaches a threshold. This is fixed by correcting the message queue configuration.

This issue is resolved in VMware NSX for vSphere 6.4.5, available at Broadcom Downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

There are two methods to workaround this issue:

1. Do not use grouping objects in firewall rules applied to edges.

2. Contact VMware support for guidance.

Impact/Risks:
1. Unable to upgrade edge to 6.4.4 OR
2. Unable to make config change on edge already running 6.4.4