Sidecar injection partially working

Hi,

i have a simple cluster with 3 masters and 2 worker nodes, and i have enabled automatic sidecar injection in some of the namespaces. If i deploy an application then the injection is not working on the worker node where istiod runs, but works on the other worker node. Any idea what could cause this or how i could investigate it? I see the following error messages in the istio-proxy container on the working node and on the non-working node…

non working:
2021-09-21T08:26:30.027820Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected

9/21/2021 10:26:30 AM 2021-09-21T08:26:30.119232Z warn ca ca request failed, starting attempt 2 in 181.53978ms

9/21/2021 10:26:30 AM 2021-09-21T08:26:30.301004Z warn ca ca request failed, starting attempt 3 in 383.361528ms

9/21/2021 10:26:30 AM 2021-09-21T08:26:30.684655Z warn ca ca request failed, starting attempt 4 in 729.187635ms

9/21/2021 10:26:31 AM 2021-09-21T08:26:31.414179Z warn sds failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = “transport: Error while dialing dial tcp 10.43.54.97:15012: i/o timeout”

9/21/2021 10:26:31 AM 2021-09-21T08:26:31.720153Z warn ca ca request failed, starting attempt 1 in 97.396333ms

9/21/2021 10:26:31 AM 2021-09-21T08:26:31.817786Z warn ca ca request failed, starting attempt 2 in 201.303555ms

9/21/2021 10:26:32 AM 2021-09-21T08:26:32.019258Z warn ca ca request failed, starting attempt 3 in 417.970541ms

9/21/2021 10:26:32 AM 2021-09-21T08:26:32.028152Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected

9/21/2021 10:26:34 AM 2021-09-21T08:26:34.028075Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected

9/21/2021 10:26:36 AM 2021-09-21T08:26:36.027803Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected

9/21/2021 10:26:38 AM 2021-09-21T08:26:38.027759Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected

9/21/2021 10:26:40 AM

working:

2021-09-21T06:09:22.061881Z warning envoy config StreamAggregatedResources gRPC config stream closed: 0,
2021-09-21T06:09:22.544236Z info xdsproxy connected to upstream XDS server: istiod.istio-system.svc:15012
2021-09-21T06:41:38.827001Z warning envoy config StreamAggregatedResources gRPC config stream closed: 0,
2021-09-21T06:41:39.181322Z info xdsproxy connected to upstream XDS server: istiod.istio-system.svc:15012
2021-09-21T07:10:58.202346Z warning envoy config StreamAggregatedResources gRPC config stream closed: 0,
2021-09-21T07:10:58.531760Z info xdsproxy connected to upstream XDS server: istiod.istio-system.svc:15012
2021-09-21T07:42:40.851021Z warning envoy config StreamAggregatedResources gRPC config stream closed: 0,
2021-09-21T07:42:41.081856Z info xdsproxy connected to upstream XDS server: istiod.istio-system.svc:15012

Connectivity check:
working container:
istio-proxy@sleep-5dbff8dbd4-c9jz8:/$ nc -v -w 2 istiod.istio-system.svc 15012
istiod.istio-system.svc.cluster.local [10.43.54.97] 15012 (?) open

not working container:
istio-proxy@sleep-58bb86d655-7r7sh:/$ nc -v -w 2 istiod.istio-system.svc 15012
istiod.istio-system.svc.cluster.local [10.43.54.97] 15012 (?) : Connection timed out

regards
Zoltan