VMware NSX

Hi everyone,

I'm currently reviewing the release notes for an upcoming upgrade to NSX 4.2.3.3 and noticed a strange recent addition to the "Known Issues" section.

According to the document revision history, Broadcom just added the following known issue on March 5th:

"Issue 3626240: Edge tunnels to ESXi hosts are down when sharing the same VLAN for TEP traffic.
Tunnels between the edge node and prepared ESXi host will be down if the edge node's TEP interface uses a vSphere-created distributed virtual port group (DVPG) and shares the same TEP VLAN as the host. It is recommended to avoid using this particular DVPG and TEP VLAN configuration.
For information about tunnel alarms, see KB article 368269."



Link to 4.2.3.3 Release Notes: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/release-notes/vmware-nsx-4233-release-notes.html

My question to the community is: Why was this suddenly converted into a tracked known issue for 4.2.3.3? And in my view, it would be more appropriate to reference KB 312645 rather than KB 368269.

As many of us know, this has been a long-standing architectural limitation in NSX-T dating back several major versions. But seeing it abruptly listed as a "Known Issue" in this specific release makes me wonder if there is more to the story.

• Is this simply Broadcom finally formalizing an age-old limitation with an official issue ID?
• Or is it not that simple - did something actually change under the hood in 4.2.3.3 that makes the old workarounds fail, making it unsafe to upgrade?

Per the TID, it's only an issue if the TEPs are on the same network as the host management, something that is antithetical to best practice anyway.   Is that a consideration in your environment?

Hi everyone,

I'm currently reviewing the release notes for an upcoming upgrade to NSX 4.2.3.3 and noticed a strange recent addition to the "Known Issues" section.

According to the document revision history, Broadcom just added the following known issue on March 5th:

"Issue 3626240: Edge tunnels to ESXi hosts are down when sharing the same VLAN for TEP traffic.
Tunnels between the edge node and prepared ESXi host will be down if the edge node's TEP interface uses a vSphere-created distributed virtual port group (DVPG) and shares the same TEP VLAN as the host. It is recommended to avoid using this particular DVPG and TEP VLAN configuration.
For information about tunnel alarms, see KB article 368269."



Link to 4.2.3.3 Release Notes: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/release-notes/vmware-nsx-4233-release-notes.html

My question to the community is: Why was this suddenly converted into a tracked known issue for 4.2.3.3? And in my view, it would be more appropriate to reference KB 312645 rather than KB 368269.

As many of us know, this has been a long-standing architectural limitation in NSX-T dating back several major versions. But seeing it abruptly listed as a "Known Issue" in this specific release makes me wonder if there is more to the story.

• Is this simply Broadcom finally formalizing an age-old limitation with an official issue ID?
• Or is it not that simple - did something actually change under the hood in 4.2.3.3 that makes the old workarounds fail, making it unsafe to upgrade?

Hi Charlie,

Thanks for chiming in! I think there might be a slight mix-up regarding the networks involved in the release note.

The issue Broadcom listed (and the related KB 312645) actually isn't about the TEPs sharing a network with Host Management. It is specifically about the Edge VM TEPs sharing the exact same VLAN as the ESXi Host TEPs on the same vSphere Distributed Switch (vDS). When an Edge VM and its host use standard distributed port groups (DVPGs) on the same VLAN, the vSwitch drops the Geneve traffic due to hairpinning.

To answer your question: yes, this absolutely is a consideration in our environment. Our Edge TEP interfaces currently share the same TEP VLAN as our ESXi hosts' TEP interfaces.

To make this work and avoid the tunnel drops, we currently utilize Workaround 1 from KB 312645. Instead of connecting the Edge TEPs to a standard vSphere distributed port group, we have them connected to a trunked VLAN-backed NSX Segment (configured with a VLAN range 0-4094). This allows the traffic to flow without being stripped or dropped by the vDS.

My main concern with this newly added "Known Issue 3626240" is whether 4.2.3.3 introduces a change that breaks this trunked segment workaround, or if Broadcom is simply formalizing and documenting this age-old vDS behavior for the masses.

If anyone is currently running 4.2.3.3 utilizing this shared TEP VLAN + trunked segment workaround and can confirm your tunnels are still stable, it would be a huge peace of mind!

Best regards, Serhii

Original Message:
Sent: Mar 11, 2026 12:35 AM
From: Charlie Silverman
Subject: Upgrading to NSX 4.2.3.3: Any gotchas with the newly added "Known Issue 3626240" for Edge TEPs?

Per the TID, it's only an issue if the TEPs are on the same network as the host management, something that is antithetical to best practice anyway.   Is that a consideration in your environment?

Original Message:
Sent: Mar 10, 2026 07:04 AM
From: Serhii
Subject: Upgrading to NSX 4.2.3.3: Any gotchas with the newly added "Known Issue 3626240" for Edge TEPs?

Hi everyone,

I'm currently reviewing the release notes for an upcoming upgrade to NSX 4.2.3.3 and noticed a strange recent addition to the "Known Issues" section.

According to the document revision history, Broadcom just added the following known issue on March 5th:

"Issue 3626240: Edge tunnels to ESXi hosts are down when sharing the same VLAN for TEP traffic.
Tunnels between the edge node and prepared ESXi host will be down if the edge node's TEP interface uses a vSphere-created distributed virtual port group (DVPG) and shares the same TEP VLAN as the host. It is recommended to avoid using this particular DVPG and TEP VLAN configuration.
For information about tunnel alarms, see KB article 368269."



Link to 4.2.3.3 Release Notes: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/release-notes/vmware-nsx-4233-release-notes.html

My question to the community is: Why was this suddenly converted into a tracked known issue for 4.2.3.3? And in my view, it would be more appropriate to reference KB 312645 rather than KB 368269.

As many of us know, this has been a long-standing architectural limitation in NSX-T dating back several major versions. But seeing it abruptly listed as a "Known Issue" in this specific release makes me wonder if there is more to the story.

• Is this simply Broadcom finally formalizing an age-old limitation with an official issue ID?
• Or is it not that simple - did something actually change under the hood in 4.2.3.3 that makes the old workarounds fail, making it unsafe to upgrade?

-------------------------------------------

Hi Serhii,

We had this issue several versions ago and ultimately moved to separate VLANs for the edge TEPs from the host TEPs. I wasn't aware of the workaround you were using but hopefully Support will be able to answer that for you for sure. Sorry I couldn't be of more help!

Original Message:
Sent: Mar 11, 2026 04:25 AM
From: Serhii
Subject: Upgrading to NSX 4.2.3.3: Any gotchas with the newly added "Known Issue 3626240" for Edge TEPs?

Hi Charlie,

Thanks for chiming in! I think there might be a slight mix-up regarding the networks involved in the release note.

The issue Broadcom listed (and the related KB 312645) actually isn't about the TEPs sharing a network with Host Management. It is specifically about the Edge VM TEPs sharing the exact same VLAN as the ESXi Host TEPs on the same vSphere Distributed Switch (vDS). When an Edge VM and its host use standard distributed port groups (DVPGs) on the same VLAN, the vSwitch drops the Geneve traffic due to hairpinning.

To answer your question: yes, this absolutely is a consideration in our environment. Our Edge TEP interfaces currently share the same TEP VLAN as our ESXi hosts' TEP interfaces.

To make this work and avoid the tunnel drops, we currently utilize Workaround 1 from KB 312645. Instead of connecting the Edge TEPs to a standard vSphere distributed port group, we have them connected to a trunked VLAN-backed NSX Segment (configured with a VLAN range 0-4094). This allows the traffic to flow without being stripped or dropped by the vDS.

My main concern with this newly added "Known Issue 3626240" is whether 4.2.3.3 introduces a change that breaks this trunked segment workaround, or if Broadcom is simply formalizing and documenting this age-old vDS behavior for the masses.

If anyone is currently running 4.2.3.3 utilizing this shared TEP VLAN + trunked segment workaround and can confirm your tunnels are still stable, it would be a huge peace of mind!

Best regards, Serhii

Original Message:
Sent: Mar 11, 2026 12:35 AM
From: Charlie Silverman
Subject: Upgrading to NSX 4.2.3.3: Any gotchas with the newly added "Known Issue 3626240" for Edge TEPs?

Per the TID, it's only an issue if the TEPs are on the same network as the host management, something that is antithetical to best practice anyway.   Is that a consideration in your environment?

Original Message:
Sent: Mar 10, 2026 07:04 AM
From: Serhii
Subject: Upgrading to NSX 4.2.3.3: Any gotchas with the newly added "Known Issue 3626240" for Edge TEPs?

Hi everyone,

I'm currently reviewing the release notes for an upcoming upgrade to NSX 4.2.3.3 and noticed a strange recent addition to the "Known Issues" section.

According to the document revision history, Broadcom just added the following known issue on March 5th:

"Issue 3626240: Edge tunnels to ESXi hosts are down when sharing the same VLAN for TEP traffic.
Tunnels between the edge node and prepared ESXi host will be down if the edge node's TEP interface uses a vSphere-created distributed virtual port group (DVPG) and shares the same TEP VLAN as the host. It is recommended to avoid using this particular DVPG and TEP VLAN configuration.
For information about tunnel alarms, see KB article 368269."



Link to 4.2.3.3 Release Notes: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/release-notes/vmware-nsx-4233-release-notes.html

My question to the community is: Why was this suddenly converted into a tracked known issue for 4.2.3.3? And in my view, it would be more appropriate to reference KB 312645 rather than KB 368269.

As many of us know, this has been a long-standing architectural limitation in NSX-T dating back several major versions. But seeing it abruptly listed as a "Known Issue" in this specific release makes me wonder if there is more to the story.

• Is this simply Broadcom finally formalizing an age-old limitation with an official issue ID?
• Or is it not that simple - did something actually change under the hood in 4.2.3.3 that makes the old workarounds fail, making it unsafe to upgrade?

-------------------------------------------

Hi everyone,

I'm currently reviewing the release notes for an upcoming upgrade to NSX 4.2.3.3 and noticed a strange recent addition to the "Known Issues" section.

According to the document revision history, Broadcom just added the following known issue on March 5th:

"Issue 3626240: Edge tunnels to ESXi hosts are down when sharing the same VLAN for TEP traffic.
Tunnels between the edge node and prepared ESXi host will be down if the edge node's TEP interface uses a vSphere-created distributed virtual port group (DVPG) and shares the same TEP VLAN as the host. It is recommended to avoid using this particular DVPG and TEP VLAN configuration.
For information about tunnel alarms, see KB article 368269."



Link to 4.2.3.3 Release Notes: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/release-notes/vmware-nsx-4233-release-notes.html

My question to the community is: Why was this suddenly converted into a tracked known issue for 4.2.3.3? And in my view, it would be more appropriate to reference KB 312645 rather than KB 368269.

As many of us know, this has been a long-standing architectural limitation in NSX-T dating back several major versions. But seeing it abruptly listed as a "Known Issue" in this specific release makes me wonder if there is more to the story.

• Is this simply Broadcom finally formalizing an age-old limitation with an official issue ID?
• Or is it not that simple - did something actually change under the hood in 4.2.3.3 that makes the old workarounds fail, making it unsafe to upgrade?

• This issue has been present in 4.2.x in general, and if the Edge nodes are currently operational, it's unlikely that you will hit this issue post upgrade to 4.2.3.3.
• I would suggest to review KB article "NSX-T Edge tunnels are down to ESXi hosts when sharing the same VLAN for TEP traffic" - https://knowledge.broadcom.com/external/article?articleNumber=312645 , specifically the Resolution section, to make sure the current design is preventing occurrence of the issue.

Hi everyone,

I'm currently reviewing the release notes for an upcoming upgrade to NSX 4.2.3.3 and noticed a strange recent addition to the "Known Issues" section.

According to the document revision history, Broadcom just added the following known issue on March 5th:

"Issue 3626240: Edge tunnels to ESXi hosts are down when sharing the same VLAN for TEP traffic.
Tunnels between the edge node and prepared ESXi host will be down if the edge node's TEP interface uses a vSphere-created distributed virtual port group (DVPG) and shares the same TEP VLAN as the host. It is recommended to avoid using this particular DVPG and TEP VLAN configuration.
For information about tunnel alarms, see KB article 368269."



Link to 4.2.3.3 Release Notes: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/release-notes/vmware-nsx-4233-release-notes.html

My question to the community is: Why was this suddenly converted into a tracked known issue for 4.2.3.3? And in my view, it would be more appropriate to reference KB 312645 rather than KB 368269.

As many of us know, this has been a long-standing architectural limitation in NSX-T dating back several major versions. But seeing it abruptly listed as a "Known Issue" in this specific release makes me wonder if there is more to the story.

• Is this simply Broadcom finally formalizing an age-old limitation with an official issue ID?
• Or is it not that simple - did something actually change under the hood in 4.2.3.3 that makes the old workarounds fail, making it unsafe to upgrade?