Typha synchronization errors occur when calico-node cannot connect to Typha service. Common causes include service discovery failures, TLS certificate issues, and network connectivity problems.
Typha is Calico's intermediate data store that syncs API server state to all calico-node instances. When calico-node cannot connect to Typha, it cannot receive policy and network configuration updates, leaving the node unable to properly enforce network policies and route traffic.
Verify Typha is running and has endpoints:
kubectl get deployment -n calico-system calico-typha
kubectl get endpoints -n calico-system calico-typha
kubectl describe svc calico-typha -n calico-systemReview Typha logs for configuration or startup issues:
kubectl logs -n calico-system -l app=calico-typha --tail=50Look for certificate errors, API server connectivity issues, or port conflicts.
From a calico-node pod, test connectivity to Typha:
kubectl exec -it -n calico-system ds/calico-node -- \
nc -zv calico-typha.calico-system.svc.cluster.local 5473If connection fails, check firewall and network policies.
Ensure network policies allow calico-node to reach Typha:
calicoctl get networkpolicy -o yaml | grep -A 10 "to:"Allow port 5473 from kube-system namespace to calico-system.
Check certificate-related secrets and ConfigMaps:
kubectl get secret -n calico-system | grep -i tls
kubectl get configmap -n calico-system calico-config -o yamlVerify certificate paths and CA bundles are correct.
Typha needs to query the API server. Verify connectivity:
kubectl exec -it -n calico-system deployment/calico-typha -- \
curl -k https://kubernetes.default.svc.cluster.local:443Ensure Typha has enough replicas for redundancy:
kubectl scale deployment -n calico-system calico-typha --replicas=3
kubectl rollout status deployment/calico-typha -n calico-systemForce full restart to reconnect:
kubectl rollout restart deployment/calico-typha -n calico-system
kubectl rollout restart daemonset/calico-node -n calico-system
kubectl rollout status daemonset/calico-node -n calico-systemFor production, run Typha with multiple replicas (minimum 3) and ensure they are spread across different nodes. Monitor Typha pod status continuously. For large clusters (100+ nodes), Typha reduces load on the API server significantly. Ensure TLS certificates used by Typha are not in rotation workflows that could cause immediate disconnections. Set connection timeout thresholds appropriately for your network latency characteristics.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm