NSX requirement

No matter the size of the NSX deployment, VMware requires that each NSX Controller cluster contain three controller nodes. Having a different number of controller nodes is not supported.
The cluster requires that each controller's disk storage system has a peak write latency of less than 300ms, and a mean write latency of less than 100ms. If the storage system does not meet these requirements, the cluster can become unstable and cause system downtime.

NSX check

get control-cluster status

show control-cluster status
show control-cluster connections

# nsx-manager
show logical-switch list all
get management-cluster status

All NSX Edge services run on the active appliance. The primary appliance maintains a heartbeat with the standby appliance and sends service updates through an internal interface. If a heartbeat is not received from the primary appliance within the specified time (default value is 15 seconds), the primary appliance is declared dead.
By default when we’re creating a firewall rule in NSX, the “Applied to” field is set to “Distributed Firewall”. The firewall rule will be stored in NSX manager’s database and will be applied to all VMs vNICs, regardless of the VMs location. It’s important to mention that even when dFW rule is applied to all VMs, we still need a match on source/destination to take action on that rules.

#esxcli software vib remove -n epsec-mux

-  ⇤ ← Revision 24 as of 2019-11-03 09:17:59 → 
  Size: 2744
  Editor: merlin
  Comment:
+   ← Revision 25 as of 2019-11-03 09:22:18 → ⇥
  Size: 2941
  Editor: merlin
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 37:
+== Restoring vCenter access after being blocked by a Deny All rule in NSX DFW ==
  * http://www.etgoesvirtual.com/vmware/nsx/restoring-vcenter-access-after-publishing-a-deny-all-rule-in-nsx-dfw/