Stay organized with collectionsSave and categorize content based on your preferences.
Troubleshoot managed CNI
This page explains common managed CNI problems with Cloud Service Mesh and
how to resolve them. If you need additional assistance, seeGetting support.
Unsupported managed CNI enabled configuration
Managed Cloud Service Mesh with theTRAFFIC_DIRECTORcontrol plane
implementation requires managed CNI and does not support disabling it. You may
see theCNI_CONFIG_UNSUPPORTEDcode in the feature state message if themesh.cloud.google.com/managed-cni-enabledlabel exists but does not have the
valuetruein the control plane revision (CPR) custom resource (CR) or if the
CNI entry in the asm-options configmap exists but does not have the valueon.
To resolve this error message, you must remove any attempts to disable managed
CNI.
Case 1: Remove the managed CNI Enabled label in the CPR CR in the cluster.
apiVersion:v1items:-apiVersion:mesh.cloud.google.com/v1beta1kind:ControlPlaneRevisionmetadata:annotations:mesh.cloud.google.com/proxy:'{"managed":"false"}'creationTimestamp:"2024-02-18T08:13:30Z"generation:1labels:app.kubernetes.io/created-by:mesh.googleapis.commesh.cloud.google.com/managed-cni-enabled:false# Remove the "mesh.cloud.google.com/managed-cni-enabled" labelname:asm-managednamespace:istio-systemresourceVersion:"13422558"uid:3ad755ec-78ab-4d57-8fb9-c5e1a07740d5
Case 2: Remove the CNI entry asm-options configmapASM_OPTSdata string.
apiVersion:v1data:ASM_OPTS:CNI=off# Remove CNI entry in the ASM_OPTS data.multicluster_mode:connectedkind:ConfigMapmetadata:creationTimestamp:"2024-02-18T08:13:30Z"name:asm-optionsnamespace:istio-systemresourceVersion:"1640225"uid:576602da-e60b-4df7-9427-5be06e5bf014
CNI Pod unschedulable
You may see this error if the managed CNI Daemonset cannot schedule Pods in any
one of the nodes in the cluster.
Note that in-cluster resources require at leastmemory: 100Mion each node.
For more information seeCloud Service Mesh requirements.
If your cluster already has sufficient memory allocated, seePod unschedulablefor additional troubleshooting steps.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["Troubleshoot managed CNI\n\nThis page explains common managed CNI problems with Cloud Service Mesh and\nhow to resolve them. If you need additional assistance, see\n[Getting support](/service-mesh/docs/getting-support).\n\nUnsupported managed CNI enabled configuration\n\nManaged Cloud Service Mesh with the `TRAFFIC_DIRECTOR` control plane\nimplementation requires managed CNI and does not support disabling it. You may\nsee the `CNI_CONFIG_UNSUPPORTED` code in the feature state message if the\n`mesh.cloud.google.com/managed-cni-enabled` label exists but does not have the\nvalue `true` in the control plane revision (CPR) custom resource (CR) or if the\nCNI entry in the asm-options configmap exists but does not have the value `on`.\n\nTo resolve this error message, you must remove any attempts to disable managed\nCNI.\n\n- Case 1: Remove the managed CNI Enabled label in the CPR CR in the cluster.\n\n apiVersion: v1\n items:\n - apiVersion: mesh.cloud.google.com/v1beta1\n kind: ControlPlaneRevision\n metadata:\n annotations:\n mesh.cloud.google.com/proxy: '{\"managed\":\"false\"}'\n creationTimestamp: \"2024-02-18T08:13:30Z\"\n generation: 1\n labels:\n app.kubernetes.io/created-by: mesh.googleapis.com\n mesh.cloud.google.com/managed-cni-enabled: false # Remove the \"mesh.cloud.google.com/managed-cni-enabled\" label\n name: asm-managed\n namespace: istio-system\n resourceVersion: \"13422558\"\n uid: 3ad755ec-78ab-4d57-8fb9-c5e1a07740d5\n\n- Case 2: Remove the CNI entry asm-options configmap `ASM_OPTS` data string.\n\n apiVersion: v1\n data:\n ASM_OPTS: CNI=off # Remove CNI entry in the ASM_OPTS data.\n multicluster_mode: connected\n kind: ConfigMap\n metadata:\n creationTimestamp: \"2024-02-18T08:13:30Z\"\n name: asm-options\n namespace: istio-system\n resourceVersion: \"1640225\"\n uid: 576602da-e60b-4df7-9427-5be06e5bf014\n\nCNI Pod unschedulable\n\nYou may see this error if the managed CNI Daemonset cannot schedule Pods in any\none of the nodes in the cluster.\n\nNote that in-cluster resources require at least `memory: 100Mi` on each node.\nFor more information see\n[Cloud Service Mesh requirements](/service-mesh/docs/onboarding/provision-control-plane#requirements).\nIf your cluster already has sufficient memory allocated, see\n[Pod unschedulable](/kubernetes-engine/docs/troubleshooting#PodUnschedulable)\nfor additional troubleshooting steps."]]
