VKS Deployment Fails with TLS Handshake Timeout on ESXi Worker Node
Article ID: 433674
Updated On:
Products
Issue/Introduction
ESXi host configuration as a Kubernetes Worker Node fails with "A general system error occurred. Error message: context deadline exceeded" and "TLS handshake timeout" during vSphere Kubernetes Service (VKS) deployment. The SVCP VM is unable to send packets to the ESXi host spherelet.
The spherelet logs on the affected ESXi host show the TLS timeout errors as in the example below:
2026-03-03T17:57:10.629Z No(13) spherelet[2146148]: E0303 17:57:10.629366 2146129 reflector.go:150] k8s.io/client-go/informers/factory.go:154: Failed to watch *v1.Pod: failed to list *v1.Pod: Get "https://##.###.###:6443/api/v1/pods?fieldSelector=spec.nodeName%3D#####&limit=500&resourceVersion=0": net/http: TLS handshake timeout
Environment
VMware NSX
vSphere Kubernetes Service (VKS)
Cause
Missing Jumbo Frames configuration on the physical network ports backing the NSX Edge TEP VLAN causes the dropping of large GENEVE-encapsulated frames.
Packet captures indicate that a GENEVE-encapsulated ServerHello frame (>1460 bytes) transmits with the IPv4 Don't Fragment (DF) bit set.
Due to the lack of Jumbo Frames on the physical Edge TEP VLAN path, the switch drops the frame without returning an ICMP "Fragmentation Needed" response, causing a blackhole and subsequent TLS handshake timeouts.
Resolution
-
Validate the MTU configuration on all physical switch ports in the data path for the NSX Edge TEP VLAN.
-
Configure Jumbo Frames (MTU 9000) on all physical switch ports associated with the Edge TEP VLAN to accommodate GENEVE encapsulation overhead.
-
Retry the VKS deployment and ESXi worker node configuration.
Note: If a node remains stuck, place the host into maintenance mode, wait a brief period, and exit maintenance mode to re-trigger the configuration.
Feedback
