Upgrading the Panorama Plugin for VMware NSX to 3.2.0

When upgrading Panorama plugin for VMware NSX to 3.2.0, additional actions are required to ensure that all your IP address tag information is maintained after the upgrade.
Upgrading to the Panorama plugin for VMware NSX 3.2.0 directly from plugin 2.0.5 or older is not supported. If you are running 2.0.5 or older, you must upgrade to Panorama plugin for VMware NSX 2.0.6 or 3.1.0 before upgrading to 3.2.0.

Upgrade the Panorama Plugin for VMware NSX 3.2.0

If your Panorama is running 9.0.x or 9.1.x, after upgrading the plugin,
Synchronize Dynamic Objects
on each NSX Service Manager configured on Panorama. To synchronize dynamic objects, log in to the Panorama web interface and select
Panorama
VMware
NSX-T
Service Managers
and click
Synchronize Dynamic Objects
. Repeat the
Synchronize Dynamic Objects
on any NSX-V service managers.
If your Panorama is running 10.0.x, complete the following procedure to upgrade the Panorama plugin for VMware NSX to 3.2.0. If you are upgrading from plugin 3.1.0 to 3.2.0, some additional steps are required after installing plugin 3.2.0. You must clear your IP-tag learned from your NSX-T environment and
Synchronize Dynamic Objects
on each NSX-T and NSX-V service manager configured on Panorama.
Multi-plugin support on Panorama is enabled by default in 10.0.1.
  1. Log in to the
    active
    Panorama peer web interface and upgrade the Panorama plugin for VMware NSX 3.2.0.
    1. Select
      Panorama
      Plugins
      .
    2. Select
      Check Now
      to retrieve a list of available updates.
    3. Select
      Download
      in the Action column to download the plugin.
    4. Select the version of the plugin and click
      Install
      in the Action column to upgrade the plugin. Panorama will alert you when the upgrade is complete.
  2. Log in to the
    passive
    Panorama peer web interface and upgrade the Panorama plugin for VMware NSX 3.2.0.
    1. Select
      Panorama
      Plugins
      .
    2. Select
      Check Now
      to retrieve a list of available updates.
    3. Select
      Download
      in the Action column to download the plugin.
    4. Select the version of the plugin and click
      Install
      in the Action column to upgrade the plugin. Panorama will alert you when the upgrade is complete.
  3. Clear all NSX-T IP-tag mappings on the
    active
    Panorama peer.
    1. Log in to the Panorama CLI.
    2. Execute the following command on the Panorama.
      debug plugins vmware_nsx nsx_t clear-tags
  4. Synchronize the dynamic objects on each NSX-T and NSX-V Manager configured on the
    active
    Panorama peer.
    1. Log in to the active Panorama peer web interface.
    2. Select
      Panorama
      VMware
      NSX-T
      Service Managers.
    3. Click
      Synchronize Dynamic Objects
      . Repeat this step for each NSX-T Service Manager.
    4. Select
      Panorama
      VMware
      NSX-V
      Service Managers.
    5. Click
      Synchronize Dynamic Objects
      . Repeat this step for each NSX-V Service Manager.
  5. Verify that all NSX-T and NSX-V dynamic address groups contain IP addresses.
    1. Select
      Objects
      Address Groups
      .
    2. Under
      Address
      , click
      more...
      to view the IP addresses associated with the dynamic address group.
  6. Force a failover from the active Panorama peer to the passive Panorama peer.
  7. Clear all NSX-T IP-tag mappings on the passive Panorama peer.
    1. Log in to the Panorama CLI.
    2. Execute the following command on the Panorama.
      debug plugins vmware_nsx nsx_t clear-tags
  8. Synchronize the dynamic objects on each NSX-T and NSX-V Manager configured on the
    active
    Panorama peer.
    1. Log in to the active Panorama peer web interface.
    2. Select
      Panorama
      VMware
      NSX-T
      Service Managers.
    3. Click
      Synchronize Dynamic Objects
      . Repeat this step for each NSX-T Service Manager.
    4. Select
      Panorama
      VMware
      NSX-V
      Service Managers.
    5. Click
      Synchronize Dynamic Objects
      . Repeat this step for each NSX-V Service Manager.
  9. Verify that all NSX-T and NSX-V dynamic address groups contain IP addresses.
    1. Select
      Objects
      Address Groups
      .
    2. Under
      Address
      , click
      more...
      to view the IP addresses associated with the dynamic address group.

Downgrade the Panorama Plugin for VMware NSX from 3.2.0 to 3.1.0

If you need to downgrade the Panorama plugin for VMware NSX from 3.2.0 to 3.1.0 when Panorama is running 10.0.1 or later, complete the following procedure.
  1. Before you downgrade the Panorama plugin for VMware NSX 3.2.0, you must remove any VM-Series firewalls in shared device group you have deployed in NSX-T and the associated service chains.
  2. Delete or modify any NSX-T service definitions that have been configured with a device group shared with an NSX-V service defintion. If you choose to modify your service definitions, change the configured device group to one that is not shared with an NSX-V service definition.
    1. Log in to the Panorama web interface.
    2. Select
      Panorama
      VMware
      NSX-T
      Service Definitions
      .
    3. Delete or modify your service definition.
      • To modify your service definition, click the name of your service definition and choose a device group not shared with an NSX-V service definition. Click
        Ok
        .
      • To delete your service definition, check the box next to the service defitition name and then click
        Delete
        .
    4. Repeat the above step for each NSX-T service definition with a device group shared with NSX-V.
    5. Commit
      your changes.
  3. Log in to the
    passive
    Panorama peer web interface and downgrade the Panorama plugin for VMware NSX 3.1.0.
    1. Select
      Panorama
      Plugins
      .
    2. Select
      Check Now
      to retrieve a list of available updates.
    3. Select
      Download
      in the Action column to download the plugin.
    4. Select the version of the plugin and click
      Install
      in the Action column to downgrade the plugin. Panorama will alert you when the downgrade is complete.
  4. Log in to the
    active
    Panorama peer web interface and downgrade the Panorama plugin for VMware NSX 3.1.0.
    1. Select
      Panorama
      Plugins
      .
    2. Select
      Check Now
      to retrieve a list of available updates.
    3. Select
      Download
      in the Action column to download the plugin.
    4. Select the version of the plugin and click
      Install
      in the Action column to downgrade the plugin. Panorama will alert you when the downgrade is complete.
  5. Clear all IP-tag mappings on the active Panorama peer from each device group containing NSX-V and NSX-T tags, device group associated with an NSX-T Service Definition, and each device group in a Notify Group notified by NSX-V and NSX-T associated device groups.
    1. Log in to the Panorama CLI on the active peer.
    2. Execute the following command on the Panorama.
      debug dau clear database device-group <device-group-name>
      This command is available on Panorama 10.0.1 or later only.
  6. Synchronize the dynamic objects on each NSX-T and NSX-V Manager configured on the
    active
    Panorama peer.
    1. Log in to the active Panorama peer web interface.
    2. Select
      Panorama
      VMware
      NSX-T
      Service Managers.
    3. Click
      Synchronize Dynamic Objects
      . Repeat this step for each NSX-T Service Manager.
    4. Select
      Panorama
      VMware
      NSX-V
      Service Managers.
    5. Click
      Synchronize Dynamic Objects
      . Repeat this step for each NSX-V Service Manager.
  7. Synchronize dynamic objects on any other plugin that is retrieving IP-tag information to any device group cleared in Step 5.
  8. Verify that all NSX-T and NSX-V dynamic address groups contain IP addresses.
    1. Select
      Objects
      Address Groups
      .
    2. Under
      Address
      , click
      more...
      to view the IP addresses associated with the dynamic address group.
  9. Clear all IP-tag mappings on the passive Panorama peer from each device group containing NSX-V and NSX-T tags, device group associated with an NSX-T Service Definition, and each device group in a Notify Group notified by NSX-V and NSX-T associated device groups.
    1. Log in to the Panorama CLI on the active peer.
    2. Execute the following command on the Panorama.
      debug dau clear database device-group <device-group-name>
  10. Force a failover from the active Panorama peer to the passive Panorama peer.
  11. Synchronize the dynamic objects on each NSX-T and NSX-V Manager configured on the
    active
    Panorama peer.
    1. Log in to the active Panorama peer web interface.
    2. Select
      Panorama
      VMware
      NSX-T
      Service Managers.
    3. Click
      Synchronize Dynamic Objects
      . Repeat this step for each NSX-T Service Manager.
    4. Select
      Panorama
      VMware
      NSX-V
      Service Managers.
    5. Click
      Synchronize Dynamic Objects
      . Repeat this step for each NSX-V Service Manager.
  12. Synchronize dynamic objects on any other plugin that is retrieving IP-tag information to any device group cleared in Step 9.
  13. Verify that all NSX-T and NSX-V dynamic address groups contain IP addresses.
    1. Select
      Objects
      Address Groups
      .
    2. Under
      Address
      , click
      more...
      to view the IP addresses associated with the dynamic address group.

Recommended For You