Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Summary
This article explains how to identify and resolve the VMExtensionError_CniDownloadTimeout error (also known as error code ERR_CNI_DOWNLOAD_TIMEOUT) in Azure Kubernetes Service (AKS) so that you can successfully create and deploy your cluster.
Prerequisites
- The Curl command-line tool
Symptoms
When you try to create a Linux-based AKS cluster, you receive the following error message:
Message: We are unable to serve this request due to an internal error
SubCode: VMExtensionError_CniDownloadTimeout;
Message="VM has reported a failure when processing extension 'vmssCSE'.
Error message: "CSE failed with 'VMExtensionError_CniDownloadTimeout', which means agents are unable to connect to the endpoint that's used to download the container network interface libraries. It's likely that a network virtual appliance is blocking SSL communication or an SSL certificate, please see https://aka.ms/aks/vmextensionerror_cnidownloadtimeout for more information.
Cause
Your cluster nodes can't connect to the endpoint that's used to download the Container Network Interface (CNI) libraries. In most cases, this issue occurs because a network virtual appliance is blocking Secure Sockets Layer (SSL) communication or an SSL certificate.
Solution
Run a Curl command to verify that your nodes can download the binaries:
curl https://acs-mirror.azureedge.net/cni/azure-vnet-cni-linux-amd64-v1.0.25.tgz
curl --fail --ssl https://acs-mirror.azureedge.net/cni/azure-vnet-cni-linux-amd64-v1.0.25.tgz --output /opt/cni/downloads/azure-vnet-cni-linux-amd64-v1.0.25.tgz
If you can't download these files, make sure that traffic is allowed to the downloading endpoint. For more information, see Azure Global required FQDN/application rules.