Troubleshoot the VMExtensionProvisioningTimeout error code
This article discusses how to identify and resolve the VMExtensionProvisioningTimeout error that occurs when you try to create and deploy a Microsoft Azure Kubernetes Service (AKS) cluster.
Prerequisites
- Azure CLI, version 2.28.0 or a later version. If Azure CLI is already installed, you can find the version number by running
az --version.
Symptoms
When you try to create an AKS cluster, you receive the following error message:
Failed to reconcile agent pool agentpool0: err: VMSSAgentPoolReconciler retry failed:
Category: InternalError;
SubCode: VMExtensionProvisioningTimeout;
Dependency: Microsoft.Compute/VirtualMachineScaleSet;
OrginalError:
Code="VMExtensionProvisioningTimeout"
Message="Provisioning of VM extension vmssCSE has timed out. Extension provisioning has taken too long to complete. The extension last reported "Plugin enabled".\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSELinuxTroubleshoot";
AKSTeam: NodeProvisioning,
Retriable: true
Cause
Several different issues can cause the VMExtensionProvisioningError class of errors. However, the troubleshooting steps are the same for all the issues. Possible causes are as follows:
The custom script extension that provisions the virtual machines (VMs) can't establish a connection to the endpoint that's used for downloading the Kubernetes binaries.
The custom script extension that provisions the VMs can't establish a connection to the endpoint that's used for downloading the CNI binaries.
The custom script extension that provisions the VMs can't establish the required outbound connectivity to obtain packages.
The cluster can't resolve the necessary Domain Name System (DNS) address to correctly provision the node.
The custom script extension that provisions the VMs reached a timeout while running the apt-get update.
Solution
Follow these steps:
If egress filtering is set up on the cluster, see Control egress traffic for cluster nodes in AKS to view the necessary prerequisites, and make sure that your setup meets the prerequisites.
On your DNS servers and firewall, make sure that nothing blocks the resolution of your cluster's fully qualified domain name (FQDN).
Because your custom DNS server might be configured incorrectly, review the following articles if FQDN resolution continues to be blocked:
More information
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for