Yesterday I performed a vCNS 5.5 upgrade to NSX 6.2.3. I did run into issues later on the day thanks to NTP, there is a small gotcha here even if you had set it up correctly!
The environment:
- vCenter 5.5 VCSA + embedded SSO
- ESXi 5.5
- vCNS 5.5 ( vShield Manager + vShield APP Firewalls)
- some VMs ( including DHCP and Domain Controller)
- NTP running from a Windows Server
Performing the upgrade of vCNS is pretty straight forward:
Download the NSX upgrade package: VMware-vShield-Manager-upgrade-bundle-to-NSX-6.2.3-3979471.tar.gz.
Open the vCNS vShield Manager
Go to Updates and Upload Upgrade Bundle
After the upgrade you might end up with a web interface which looks like a mix of vCNS and NSX. Flush the cache, close your browser and open it again. That should do the trick. The split interface should be gone now and you should be left with an NSX interface only.
In the end I ran into issues where the Lookup Service would fail:
It took me a while to find the issue. SSL certificates matched, DNS was setup correctly NTP was setup correctly too.However I did notice that even though all parts ( ESXi servers, vCenter server, Domain Controller, etc) were using the same NTP server, there was a time discrepancy between my VCSA and the migrated vShield Manager to NSX Manager of about 5 minutes. Very odd as there never had been any problems with vShield Manager.
So here is what I did to get rid of this:
Remove the NTP enty you have on your NSX Manager and replace the entry by any setting at all. After the NSX Manager accepts the fake IP, replace the IP again with the IP used for your NTP server and BINGO!
PS: If you are having issues with certificates, have a look at Anthony’s post: NSX BYTES: NO NSX MANAGERS LISTED IN WEB CLIENT AFTER VCENTER CERTIFICATE UPGRADE
Another point to add Is that the lookup service in NSX uses port 443 instead of port 7444, you may receive the SSL certificate of the STS service cannot be verified error If this port isn’t configured correctly. See more here (https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2121696).