Egress gateway becomes not ready when service entry is added

Hello,

We have ISTIO version 1.3.3 and we run 2 egress deployments and one is configured with

- name: ISTIO_META_REQUESTED_NETWORK_VIEW
  value: external

This works fine but as soon as we add a regular Service Entry, the pods in one of the egress gateways deployments become not ready:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: example
  namespace: istio-system
spec:
  exportTo:
  - '.'
  hosts:
  - 'example.com'
  location: MESH_EXTERNAL
  ports:
  - name: https
    number: 443
    protocol: TLS
  resolution: DNS

The following can be seen on the output as soon as we re-create the egress gateway pods:

 info    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 4 successful, 0 rejected; lds updates: 0 successful, 0 rejected
 info    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 4 successful, 0 rejected; lds updates: 0 successful, 0 rejected
 info    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 4 successful, 0 rejected; lds updates: 0 successful, 0 rejected

Logs in Trace mode do not show any useful information.

As soon as the service entry is removed, the pods become ready:

 ][17][info][main] [external/envoy/source/server/server.cc:541] all clusters initialized. initializing init manager
 [17][info][upstream] [external/envoy/source/server/lds_api.cc:60] lds: add/update listener '0.0.0.0_15443'
 [17][info][config] [external/envoy/source/server/listener_manager_impl.cc:777] all dependencies initialized. starting workers
 info    Envoy proxy is ready

We also observed that if this service entry is not exposed to istio-system then the problem doesn’t occur.

The problem also goes away if we change the resolution to something other than “DNS”

Any ideas on what else to check and tweak?

Thanks