istio: Envoy proxy is NOT ready: config received from XDS server, but was rejected: lds updates rejected

Hello. I’m fairly new to istio and I’m sorry if this is a stupid question but how do we troubleshoot lds updates rejected errors? TIA!

2022-11-04T14:54:19.083188Z     warn    Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 57 successful, 0 rejected; lds updates: 0 successful, 57 rejected

Our pods istio-proxy take a while to get ready and have those logs… But it will eventually become ready after a few minutes / hour which will have these logs

...
2022-11-04T13:55:55.133653Z     warn    Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 1 successful, 0 rejected; lds updates: 0 successful, 1 rejected
...
2022-11-04T15:00:23.082433Z     warn    Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 57 successful, 0 rejected; lds updates: 0 successful, 57 rejected
2022-11-04T15:00:23.227599Z     info    xdsproxy        connected to upstream XDS server: istiod.istio-system.svc:15012
2022-11-04T15:00:25.084600Z     info    Readiness succeeded in 1h4m56.259455577s
2022-11-04T15:00:25.086189Z     info    Envoy proxy is ready

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 18 (9 by maintainers)

Most upvoted comments

Have a similar issue after upgrading istio from 1.10 to 1.15 version

In istio-proxy logs we see something like:

[libprotobuf WARNING external/com_google_protobuf/src/google/protobuf/text_format.cc:2148] type.googleapis.com/envoy.config.cluster.v3.Cluster: failed to parse contents
2022-12-30T14:15:19.135428Z	warning	envoy config	gRPC config for type.googleapis.com/envoy.config.cluster.v3.Cluster rejected: Unable to unpack as envoy.config.cluster.v3.Cluster: type_url: "type.googleapis.com/envoy.config.cluster.v3.Cluster"
value: "\nKoutbound|9102||some-service.somens.svc.cluster.local\"\002*\004\010\200\200\0020\006R$\n\"\022\006\010\377\377\377\377\017\032\006\010\377\377\377\377\017\"\006\010\377\377\377\377\017*\006\010\377\377\377\377\0170\001\242\001\002\010<\312\001\330\001\n\325\001\n\005istio\022\313\001\n\"\n\025default_original_port\022\t\021\000\000\000\000\000\307\301@\n\244\001\n\010services\022\227\0012\224\001\n\221\001*\216\001\nF\n\004host\022>\032<some-service.somens.svc.cluster.local\n.\n\004name\022&\032$some-service\n\024\n\tnamespace\022\007\032\005somens\332\001\002\032\000\242\002\216\001\n6envoy.extensions.upstreams.http.v3.HttpProtocolOptions\022T\nJtype.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\022\006\"\004\n\000\022\000\302\002z\n\027istio.metadata_exchange\022_\nFtype.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange\022\025\n\023istio-peer-exchange\020\004"

Does anyone know what those “\nnn” even mean?

also:

2022-12-30T15:26:59.325324Z	warning	envoy config	gRPC config for type.googleapis.com/envoy.config.cluster.v3.Cluster rejected: Proto constraint validation failed (ClusterValidationError.ConnectTimeout: value must be greater than 0s): name: "outbound|8080||some-service-stats.somens.svc.cluster.local"

but we don’t have connectionPool configured in any destinationrule, like https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings

Envoyfilters seem to be fine.

pilot version 1.15.3 istio sidecar version proxyv2:1.15.0

vitalii-buchyn-exa on Dec 30, 2022

Need the full log, it says why it’s rejected

howardjohn on Nov 5, 2022